On 2020-07-05 11:09, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote:
> >
> > Implement the proc fs write to set the audit container identifier of a
> > process, emitting an AUDIT_CONTAINER_OP record to document the event.
> >
> > T
here isn't a conflict of type or meaning for
an existing one:
https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
Other documents in this set might be helpful:
https://github.com/linux-audit/audit-documentation/wiki
> Guillem
- R
On 2020-07-05 11:11, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs wrote:
> > Require the target task to be a descendant of the container
> > orchestrator/engine.
> >
> > You would only change the audit container ID from one set or inherited
sues/120
This is also related to upstream github issue
https://github.com/linux-audit/audit-kernel/issues/96
Signed-off-by: Richard Guy Briggs
---
Passes audit-testsuite.
Chagelog:
v4:
- rebase on audit/next v5.9-rc1
- squash v2+v3fix
- add pwd NULL check in audit_log_name()
- resubmit aft
On 2020-09-15 12:18, Paul Moore wrote:
> On Thu, Sep 10, 2020 at 11:03 AM Richard Guy Briggs wrote:
> >
> > When there are no audit rules registered, mandatory records (config,
> > etc.) are missing their accompanying records (syscall, proctitle, etc.).
> >
> > T
On 2020-09-21 19:31, Paul Moore wrote:
> On Mon, Sep 21, 2020 at 3:57 PM Richard Guy Briggs wrote:
> > On 2020-09-15 12:18, Paul Moore wrote:
> > > On Thu, Sep 10, 2020 at 11:03 AM Richard Guy Briggs
> > > wrote:
> > > >
> > > > When the
-off-by: Richard Guy Briggs
---
Chagelog:
v5:
- open code audit_clear_dummy() in audit_log_start()
- fix check for ctx->pwd in audit_log_name()
- open code _audit_getcwd() contents in audit_alloc_name()
- ditch all *audit_getcwd() calls
v4:
- resubmit after revert
v3:
- initialize fds[0] t
On 2020-09-23 10:29, Paul Moore wrote:
> On Tue, Sep 22, 2020 at 8:45 AM Richard Guy Briggs wrote:
> >
> > When there are no audit rules registered, mandatory records (config,
> > etc.) are missing their accompanying records (syscall, proctitle, etc.).
> >
> > T
ne, there is no issue.
If you are still reading this far, the interest in this arose from trying to
find a way to connect potentially multiple OBJ_PID records with different
CONTAINER_ID records in the ghak90 Audit Container ID patchset rather than
using the op= field.
Thanks!
- RGB
--
Ri
On 2020-08-21 14:48, Paul Moore wrote:
> On Wed, Jul 29, 2020 at 3:00 PM Richard Guy Briggs wrote:
> > On 2020-07-05 11:10, Paul Moore wrote:
> > > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs
> > > wrote:
> > > >
> > > > Add audit conta
On 2020-08-21 15:15, Paul Moore wrote:
> On Wed, Jul 29, 2020 at 3:41 PM Richard Guy Briggs wrote:
> > On 2020-07-05 11:10, Paul Moore wrote:
> > > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs
> > > wrote:
>
> ...
>
> > > > diff --git a/k
On 2020-08-21 16:13, Paul Moore wrote:
> On Fri, Aug 7, 2020 at 1:10 PM Richard Guy Briggs wrote:
> > On 2020-07-05 11:11, Paul Moore wrote:
> > > On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs
> > > wrote:
> > > > Require the target t
On 2020-09-29 15:17, Richard Guy Briggs wrote:
> Hello auditors and auditees...
>
> Have you got any rules or tests to test audit logging signals or ptrace?
>
> I thought I understood how it worked, but it appears I need to signal a task
> group.
Ok, I got a hint elsewhe
in the way of significant boundaries between threads.
>
> To get the information you are looking for, I think we would need to
> add an additional task/thread ID to the relevant records and that
> would be *very* messy.
I would say that adding a thread ID rather than changing any existing
On 2020-10-02 15:52, Richard Guy Briggs wrote:
> On 2020-08-21 15:15, Paul Moore wrote:
> > On Wed, Jul 29, 2020 at 3:41 PM Richard Guy Briggs wrote:
> > > On 2020-07-05 11:10, Paul Moore wrote:
> > > > On Sat, Jun 27, 2020 at 9:22 AM Rich
On 2020-10-21 12:49, Steve Grubb wrote:
> On Wednesday, October 21, 2020 12:39:26 PM EDT Richard Guy Briggs wrote:
> > > I think I have a way to generate a signal to multiple targets in one
> > > syscall... The added challenge is to also give those targets different
On 2020-10-22 21:21, Paul Moore wrote:
> On Wed, Oct 21, 2020 at 12:39 PM Richard Guy Briggs wrote:
> > Here is an exmple I was able to generate after updating the testsuite
> > script to include a signalling example of a nested audit container
> > identifier:
> >
>
) {
> +$found_objattr = 1;
> +}
> +if ( $line =~ / obj_smack=/ ) {
> +$found_objattr = 1;
> + }
> +}
> +
> +# three cases:
> +# no subj= field or MAC_TASK_CONTEXTS when no supplying LSM
> +# subj=$value field, no MAC_TASK_CONTEXTS for exactl
On 2020-11-02 14:51, Casey Schaufler wrote:
> On 11/2/2020 2:08 PM, Richard Guy Briggs wrote:
> > On 2020-11-02 13:54, Casey Schaufler wrote:
> >> Verify that there are subj= and obj= fields in a record
> >> if and only if they are expected. A system without a securit
On 2020-11-02 22:31, Paul Moore wrote:
> On Mon, Nov 2, 2020 at 8:19 PM Richard Guy Briggs wrote:
> > On 2020-11-02 14:51, Casey Schaufler wrote:
> > > On 11/2/2020 2:08 PM, Richard Guy Briggs wrote:
> > > > On 2020-11-02 13:54, Casey Schaufler wrote:
> > >
On 2020-11-06 16:51, Casey Schaufler wrote:
> On 11/2/2020 7:31 PM, Paul Moore wrote:
> > On Mon, Nov 2, 2020 at 8:19 PM Richard Guy Briggs wrote:
> >> On 2020-11-02 14:51, Casey Schaufler wrote:
> >>> On 11/2/2020 2:08 PM, Richard Guy Briggs wrote:
> >>
13
("AUDIT: Add message types to audit records")
Introduced here:
8e633c3fb2a2 David Woodhouse 2005-03-01
("Audit IPC object owner/permission changes.")
I agree, remove it.
> /* Number of target pids per aux struct. */
> #define AUDIT_AUX_PIDS 16
>
On 2020-11-10 21:47, Paul Moore wrote:
> On Tue, Nov 10, 2020 at 10:23 AM Richard Guy Briggs wrote:
> > On 2020-11-06 16:31, Alex Shi wrote:
> > > Some unused macros could cause gcc warning:
> > > kernel/audit.c:68:0: warning: macro "AUDIT_UNINITIALIZED&quo
kernel/auditsc.c:82:0: warning: macro "AUDITSC_INVALID" is not used
> [-Wunused-macros]
>
> AUDIT_UNINITIALIZED and AUDITSC_INVALID are still meaningful and could
> be used in code.
"and should be incorporated"
> Just remove AUDIT_AUX_IPCPERM.
>
> Thank
her feature is added to the audit status and
that is backported to a distro rather than this one. It would be
impossible to determine which feature it was from the size alone.
Keying off specific fields in the kernel should be able to do
this at build time if I understood correctly.
> paul moore
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On 2020-12-03 10:37, Paul Moore wrote:
> On Thu, Dec 3, 2020 at 7:37 AM Richard Guy Briggs wrote:
> > On 2020-12-02 23:12, Paul Moore wrote:
> > > On Wed, Dec 2, 2020 at 10:52 PM Steve Grubb wrote:
> > > > We need this FEATURE_BITMAP to do anything in userspac
uditctl")
fixes: f588248775b4f8180b846bbc1681bc54e07871ed ("Better detect struct
audit_status existence")
fixes: bed754a651f47f5a83bbf565609e4936b0270269 ("Fix building on old kernels")
Please see issue page https://github.com/linux-audit/audit-userspace/issues/10
Signed-off-by: Richard Guy
is a distro-specific question that should be asked in the appropriate
vendor forum, but are expected to be backported.
> Gary Smith
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.6
On 2020-12-07 16:13, Max Englander wrote:
> On Fri, Dec 4, 2020 at 3:41 PM Paul Moore wrote:
>
> > On Thu, Dec 3, 2020 at 9:47 PM Steve Grubb wrote:
> > > On Thursday, December 3, 2020 9:16:52 PM EST Paul Moore wrote:
> > > > > > > Author: Richard
uld have fit. I guess that
> depends on the buffer size.
Good thinking, and you are correct. That backlog limit may need to be
increased for more recent kernels since there are more events caught and
some events have more records.
> Appreciate the help in advance; thanks.
I hope this helps.
r metrics would be good. I'd like to see a max_backlog to know if we are
> wasting memory. It would just record the highwater mark since auditing was
> enabled.
That would be covered with this issue:
https://github.com/linux-audit/audit-kernel/issues/63
> -Steve
- RGB
-
On 2020-12-07 22:34, Steve Grubb wrote:
> On Monday, December 7, 2020 8:34:35 PM EST Richard Guy Briggs wrote:
> > On 2020-12-07 18:28, Steve Grubb wrote:
> > > Hello Max,
> > >
> > > On Monday, December 7, 2020 4:28:14 PM EST Max Englander wrote:
> > &
oldloginuid = from_kuid(&init_user_ns, koldloginuid);
> - loginuid = from_kuid(&init_user_ns, kloginuid),
> + loginuid = from_kuid(&init_user_ns, kloginuid);
Nice catch. That went unnoticed through 3 patches, the last two mine...
Not quite sure why no compiler complained abou
of container list funcitons
- rename containerid to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name
collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NET
nel/issues/90
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
fs/io-wq.c| 8 +--
fs/io_uring.c | 16 ++---
include/linux/audit.h | 49 +-
include/linux/sched.h | 7 +-
init/init_task.c | 3 +-
init/main.c
the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge
udit-userspace/issues/51
Please see the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Ri
audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by
to reflect the new record request and reply type.
An older userspace won't break since it won't know to request this
record type.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 7 +++
include/uapi/linux/audit.h | 1 +
kernel/audit.c
ked by timestamp and serial.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h | 8
kernel/audit.h| 1 +
kernel/auditsc.c | 31 ++-
3 files changed, 35 insert
Add audit container identifier auxiliary record to user event standalone
records.
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
kernel/audit.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel
://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h| 17 +++
kernel/audit.c | 229 ++-
kernel/nsproxy.c | 4 +
net
orchestrator as the one that set it so it is not
possible to change the contid of another orchestrator's container.
Since the task_is_descendant() function is used in YAMA and in audit,
remove the duplication and pull the function into kernel/core/sched.c
Signed-off-by: Richard Guy B
amespace B. An
event happens in network namespace B:
type=NETFILTER_PKT ...
type=CONTAINER_ID msg=audit(:): contid=2,^1,3,^1
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 75 +-
1 file changed, 62 insertions(+), 13 deletions(-)
diff
ned-off-by: Richard Guy Briggs
---
.../ABI/testing/procfs-audit_containerid | 16 +
fs/proc/base.c| 54 +++
include/linux/audit.h | 4 +-
include/uapi/linux/audit.h| 1 +
kern
AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
normalization
Richard Guy Briggs (11):
AUDIT_CONTAINER_OP message type basic support
AUDIT_CONTAINER_ID message type basic support
auditctl: add support for AUDIT_CONTID filter
add ausearch containerid support
start normalization containerid sup
/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h| 4
lib/msg_typetab.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/lib/libaudit.h b
-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
lib/libaudit.h | 4
lib
Add support to ausearch for searching on the containerid field in
records.
Signed-off-by: Richard Guy Briggs
---
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 ++
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +++
src/ausearch-options.c | 48
Signed-off-by: Richard Guy Briggs
---
auparse/auparse-defs.h | 3 ++-
auparse/interpret.c | 10 ++
auparse/normalize_record_map.h | 2 ++
auparse/typetab.h| 2 ++
bindings/python/auparse_python.c | 1 +
5 files changed, 17 insertions(+), 1
Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.
This is intended as a debug patch, not to be upstreamed.
Signed-off-by: Richard Guy Briggs
---
docs/Makefile.am | 2 +-
docs
:18.746:1690) :
contid=777,666,333
Signed-off-by: Richard Guy Briggs
---
src/ausearch-report.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/ausearch-report.c b/src/ausearch-report.c
index 416c2b13fa6a..754b28af2cb6 100644
--- a/src/ausearch-report.c
+++ b/src
;
uint64_tcid;
charctx[];
};
Signed-off-by: Richard Guy Briggs
---
auparse/auditd-config.c | 1 +
docs/audit_request_signal_info.3 | 15 -
lib/libaudit.c | 56 +++-
lib/libaudit.h | 16
Signed-off-by: Richard Guy Briggs
---
src/auditd-event.c| 20 +++-
src/auditd-reconfig.c | 2 --
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index e6b2a961f02b..800f4d83bc83 100644
--- a/src/auditd-event.c
+++ b/src
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.
Signed-off-by: Richard Guy Briggs
---
auparse/normalize.c| 1 +
auparse
Now that the kernel is able to track container nesting ("audit: track
container nesting"), convert the ausearch internals to parse and track
the compound list of contids stored in their native u64 format for
faster and more efficient processing.
Signed-off-by: Richard Guy Briggs
tion.
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
On 2020-12-21 12:14, Paul Moore wrote:
> On Mon, Dec 21, 2020 at 11:57 AM Richard Guy Briggs wrote:
> >
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API and the audit
> > stru
ainerid to contid
- convert initial container record to syscall aux
- fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name
collision
v2
- add check for children and threads
- add network namespace container identifier list
- add NETFILTER_PKT audit container identifier logging
nel/issues/90
Signed-off-by: Richard Guy Briggs
---
Acks removed due to significant code changes hiding audit task struct:
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
fs/io-wq.c| 8 +--
fs/io_uring.c | 16 ++---
include/linux/audit.h | 49 +-
inc
issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
Acks dropped due to log drop added 7.3, r
nux-audit/audit-userspace/issues/51
Please see the github audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
S
to reflect the new record request and reply type.
An older userspace won't break since it won't know to request this
record type.
Signed-off-by: Richard Guy Briggs
---
Acks from nhorman/omosnace should have been added in v6.
Acks dropped due to restructure audit_sig_info2 for nesting
ked by timestamp and serial.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h | 8
kernel/audit.h| 1 +
kernel/auditsc.c | 31 ++-
3 files changed, 35 insert
Add audit container identifier auxiliary record to user event standalone
records.
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
kernel/audit.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel
audit testsuiite issue for the test case:
https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by
orchestrator as the one that set it so it is not
possible to change the contid of another orchestrator's container.
Since the task_is_descendant() function is used in YAMA and in audit,
remove the duplication and pull the function into kernel/core/sched.c
Signed-off-by: Richard Guy B
amespace B. An
event happens in network namespace B:
type=NETFILTER_PKT ...
type=CONTAINER_ID msg=audit(:): contid=2,^1,3,^1
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 75 +-
1 file changed, 62 insertions(+), 13 deletions(-)
diff
ned-off-by: Richard Guy Briggs
---
.../ABI/testing/procfs-audit_containerid | 16 +
fs/proc/base.c| 54 +++
include/linux/audit.h | 4 +-
include/uapi/linux/audit.h| 1 +
kern
ee the github audit wiki for the feature overview:
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
Acks removed due to redo rcu/spin locking:
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/audit.h| 17 +++
k
dit-3.0, doing a diff
> > > > between it and audit-2.8.5 for the auparse directory does show some
> > > > differences in event collection/grouping/next_event. A lot of the
> > > > differences
> > > > are cosmetic to fix extra whitespace or indentation. But if you skip
> >
ds, your system is time traveling ;)
Interesting...
The timestamp is assigned on syscall entry.
The serial number is assigned on the creation of the first audit record of an
event.
>From these timings above, NTP/PTP could explain this, but the third and
fifth are too close together to make that
a standalone record and its auxiliary record(s). The
> context is discarded immediately after the local associated records are
> produced.
>
> Signed-off-by: Richard Guy Briggs
> Signed-off-by: Casey Schaufler
> Cc: linux-audit@redhat.com
> To: Richard Guy Briggs
This has been
it: deprecate the
AUDIT_FILTER_ENTRY filter")
Might as well also amend the function comment block to remove the
reference to syscall entry since that is no longer relevant.
> Signed-off-by: Yang Yang
Reviewed-by: Richard Guy Briggs
> ---
> kernel/auditsc.c | 8
> 1 file cha
On 2021-01-26 10:58, Casey Schaufler wrote:
> On 1/26/2021 10:42 AM, Richard Guy Briggs wrote:
> > On 2021-01-26 08:41, Casey Schaufler wrote:
> >> Standalone audit records have the timestamp and serial number generated
> >> on the fly and as such are unique, making
On 2021-02-11 11:29, Paul Moore wrote:
> On Thu, Feb 11, 2021 at 10:16 AM Phil Sutter wrote:
> > Hi,
> >
> > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> > > iptables, ip6tables, arptables and ebtables table registration,
> > > repla
On 2021-02-11 15:26, Richard Guy Briggs wrote:
> On 2021-02-11 11:29, Paul Moore wrote:
> > On Thu, Feb 11, 2021 at 10:16 AM Phil Sutter wrote:
> > > Hi,
> > >
> > > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote:
> > > > i
is the most common
> place for a change notification. In nftables, the most common one is
> generation dump - all tables are treated as elements of the same
> ruleset, not individually like in xtables.
>
> Richard, assuming the above is correct, are you fine with reducing
> nftable
On 2021-02-11 23:09, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > > > I personally would notify once per transaction. This is easy and quick.
> >
> > This was the goal. iptables was atomic. nftables appears to no longer
> > be so. If I have this
On 2021-02-18 09:22, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > On 2021-02-11 23:09, Florian Westphal wrote:
> > > So, if just a summary is needed a single audit_log_nfcfg()
> > > after 'step 3' and outside of the list_for_each_entry_safe() is
On 2021-02-18 13:52, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > On 2021-02-18 09:22, Florian Westphal wrote:
> > > No. There is a hierarchy, e.g. you can't add a chain without first
> > > adding a table, BUT in case the table was already created by
On 2021-02-18 13:52, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > On 2021-02-18 09:22, Florian Westphal wrote:
> > > > It seems I'd need to filter out the NFT_MSG_GET_* ops.
> > >
> > > No need, the GET ops do not cause changes and w
On 2021-02-18 23:42, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > > If they appear in a batch tehy will be ignored, if the batch consists of
> > > such non-modifying ops only then nf_tables_commit() returns early
> > > because the transaction list
On 2021-02-19 01:26, Richard Guy Briggs wrote:
> On 2021-02-18 23:42, Florian Westphal wrote:
> > Richard Guy Briggs wrote:
> > > > If they appear in a batch tehy will be ignored, if the batch consists of
> > > > such non-modifying ops only then nf_tables_commi
family,
number of items changed, and the operation name?
How much life does iptables have to it? Given that this command can
change the configuration of iptables (and ipv6tables, ebtables,...) it
would seem this this should be logged.
Steve?
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Ker
is the only way to do that.
This use case adds and additional challenge. Since this is a filesystem
that is changed remotely, you may not have a record of the remote user
who made the change, but only the server daemon locally that brokered
the change unless that information is in those pointer
t a problem because I have Windows/Linux
> users mapped with Centrify. If I can get the extended attributes
> updated on the Linux side, I'm hoping my code can infer the equivalent
> operations on the Windows side.
>
> On Sat, Feb 27, 2021 at 6:44 PM Richard Guy Briggs wrote:
&
n this causes anyone a problem due to merge
> conflicts, you can still submit your patches (assuming they apply
> cleanly to the stable-5.12 branch) and I'll take care of the conflict.
>
> Thanks for your understanding.
>
> --
> paul moore
- RGB
--
Richard Guy Briggs
l be up to the latter
> LSM specific patches in this series to change the hook
> implementations and return the correct credentials.
>
> Signed-off-by: Paul Moore
Audit: Acked-by: Richard Guy Briggs
Reviewed-by: Richard Guy Briggs
> ---
> drivers/android/binder.c
d_subj() LSM hook.
>
> This patch fixes this and attempts to make things more obvious by
> introducing a new function, task_sid_subj(), and renaming the
> existing task_sid() function to task_sid_obj().
>
> Signed-off-by: Paul Moore
FWIW Reviewed-by: Richard Guy Briggs
>
On 2021-02-19 18:29, Paul Moore wrote:
> With the split of the security_task_getsecid() into subjective and
> objective variants it's time to update Smack to ensure it is using
> the correct task creds.
>
> Signed-off-by: Paul Moore
FWIW Reviewed-by: Richard Guy Briggs
>
Remove the list parameter from the function call since the exit filter
list is the only remaining list used by this function.
This cleans up commit 5260ecc2e048
("audit: deprecate the AUDIT_FILTER_ENTRY filter")
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 11 -
Add files maintaned by the audit subsystem.
Signed-off-by: Richard Guy Briggs
---
MAINTAINERS | 4
1 file changed, 4 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 6eff4f720c72..a17532559665 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3015,9 +3015,13 @@ L: linux-audit
Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
was added 2008-03-13 in commit 1e0bd7550ea9 ("[PATCH] export sessionid
alongside the loginuid in procfs")
Signed-off-by: Richard Guy Briggs
---
Documentation/ABI/stable/procfs-audit_loginuid | 12 ++
Add Documentation/ABI entries for audit interfaces in /proc/PID/ that have
been stable for more than a decade.
Richard Guy Briggs (2):
audit: document /proc/PID/loginuid
audit: document /proc/PID/sessionid
.../ABI/stable/procfs-audit_loginuid | 27 +++
1 file
Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
was added 2005-02-01 by commit 1e2d1492e178 ("[PATCH] audit: handle
loginuid through proc")
Signed-off-by: Richard Guy Briggs
---
Documentation/ABI/stable/procfs-audit_loginuid | 15 +++
1 file c
On 2021-03-12 16:38, Paul Moore wrote:
> On Thu, Mar 11, 2021 at 11:41 AM Richard Guy Briggs wrote:
> > Add files maintaned by the audit subsystem.
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > MAINTAINERS | 4
> > 1 file changed, 4 insertion
d and tested this
already, please start by running those simple commands while the auditd
service is running and verifying that those commands do get logged as
expected. If they don't, fix that first.
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Rem
On 2021-03-12 14:15, Paul Moore wrote:
> On Thu, Mar 11, 2021 at 11:41 AM Richard Guy Briggs wrote:
> > Describe the /proc/PID/loginuid interface in Documentation/ABI/stable that
> > was added 2005-02-01 by commit 1e2d1492e178 ("[PATCH] audit: handle
> > loginuid through
On 2021-03-16 18:25, Alan Evangelista wrote:
> I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
> test the backlog, but it seems it's not working at all.
Which minor version of CentOS7 is this?
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kerne
601 - 700 of 2438 matches
Mail list logo
