[PATCH 1/6] audit: refactor hold queue flush

2013-01-24 Thread Richard Guy Briggs
The hold queue flush code is an autonomous chunk of code that can be refactored, removed from kauditd_thread() into flush_hold_queue() and flattenned for better legibility. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- This is a code clean up in preparation to add a multicast netlink

[PATCH 5/6] audit: add restricted capability read-only netlink multicast socket

2013-01-24 Thread Richard Guy Briggs
for integrity. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- (The seemingly wasteful skb_copy() is necessary because the original kaudit unicast socket sends up messages with nlmsg_len set to the payload length rather than the entire message length. This breaks the convention used

[PATCH 0/6] audit: add restricted capability read-only netlink multicast socket

2013-01-24 Thread Richard Guy Briggs
the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE capabilities (bot uses CAP_NET_ADMIN). The CAP_AUDIT_READ capability will be added for use by read-only AUDIT_NLGRP_READLOG multicast group clients to the kaudit subsystem. https://bugzilla.redhat.com/show_bug.cgi?id=887992 Feedback please! Richard Guy Briggs (6

[PATCH 3/6] audit: move kaudit thread start from auditd registration to kaudit init

2013-01-24 Thread Richard Guy Briggs
on init of the kaudit kernel subsystem. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- This is a code clean up in preparation to add a multicast netlink socket to kaudit for read-only userspace clients such as systemd, in addition to the bidirectional audit userspace client. kernel

[PATCH 6/6] audit: send multicast messages only if there are listeners

2013-01-24 Thread Richard Guy Briggs
Test first to see if there are any userspace multicast listeners bound to the socket before starting the multicast send work. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- kernel/audit.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index

[PATCH 2/6] audit: flatten kauditd_thread wait queue code

2013-01-24 Thread Richard Guy Briggs
The wait queue control code in kauditd_thread() was nested deeper than necessary. The function has been flattened for better legibility. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- This is a code clean up in preparation to add a multicast netlink socket to kaudit for read-only

[PATCH 4/6] netlink: add send and receive capability requirement and capability flags

2013-01-24 Thread Richard Guy Briggs
the subsystem request it, allowing the client to drop other broad unneeded capabilities. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- This is a feature addition in preparation to add a multicast netlink socket to kaudit for read-only userspace clients such as systemd, in addition

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

2013-03-12 Thread Richard Guy Briggs
be available in Linus' git tree before anywhere else. After that, likely fedora, then RHEL, but I'm a bit new to that process. I don't see a reason why I couldn't post that patch here when I've got it ironed out. Mirek - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

2013-03-13 Thread Richard Guy Briggs
On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote: On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote: On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote: - Original Message - I am resurrecting this old thread from last summer because I ran

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

2013-03-13 Thread Richard Guy Briggs
to start with. Mirek - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

2013-03-14 Thread Richard Guy Briggs
-- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

pam_tty_audit icanon log switch

2013-03-21 Thread Richard Guy Briggs
and in-line it, but since they were patches for two different entities, thought it best to do it this way instead. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 From

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

2013-04-10 Thread Richard Guy Briggs
On Wed, Apr 10, 2013 at 11:02:43AM -0700, Eric W. Biederman wrote: Richard Guy Briggs r...@redhat.com writes: On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: @@ -377,6 +383,12 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

2013-04-16 Thread Richard Guy Briggs
On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: Andrew Morton a...@linux-foundation.org writes: On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com wrote: audit rule additions containing -F auid!=4294967295 were failing with EINVAL. The only case

Re: [PATCH] vfs: fix audit_inode call in O_CREAT case of do_last

2013-04-16 Thread Richard Guy Briggs
calls to match the wrong entry in the audit_names list. This patch simply sets the flag to properly indicate that this inode represents the parent. With this, the audit_names entries are back to looking like they did before. This patch fixes the problem for me. Tested-by: Richard Guy Briggs

Re: pam_tty_audit icanon log switch

2013-04-18 Thread Richard Guy Briggs
automatic patcher won't get confused. In this case, since it is an RFC, it isn't as critical, so convenience for commenting overrides. (more inline below) From 110971ad92ce8669f6dc18db9e6369e92afdd03e Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs r...@redhat.com Date: Thu, 21 Mar 2013 00:52:37

Re: pam_tty_audit icanon log switch

2013-04-18 Thread Richard Guy Briggs
passwords)? I don't know, being precise about the exact effect of the option is also beneficial. Hmmm, I'll have to ponder that... Mirek - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635

Re: pam_tty_audit icanon log switch

2013-04-22 Thread Richard Guy Briggs
On Thu, Apr 18, 2013 at 04:07:08PM -0400, Richard Guy Briggs wrote: On Thu, Apr 18, 2013 at 03:31:36PM -0400, Miloslav Trma─Ź wrote: Hello, - Original Message - Full replacement patch: I'm still convinced that icanon is not the correct condition, see https://www.redhat.com

Re: pam_tty_audit icanon log switch

2013-04-26 Thread Richard Guy Briggs
); tsk-signal-audit_tty = s-enabled != 0; + tsk-signal-audit_tty_log_icanon = s-log_icanon != 0; spin_unlock_irq(tsk-sighand-siglock); break; } -- 1.7.1 -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base

Re: pam_tty_audit icanon log switch

2013-04-26 Thread Richard Guy Briggs
On Fri, Mar 22, 2013 at 08:19:31AM +0100, Tomas Mraz wrote: On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote: Hi folks, There's been a couple of requests to add a switch to pam_tty_audit to *not* log passwords when logging user commands. Most commands are entered one

[PATCH 1/2] audit: use given values in tty_audit enable api

2013-05-03 Thread Richard Guy Briggs
In send/GET, we don't want the kernel to lie about what value is set. In recv/SET, the values are already filtered and don't need cleansing. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

2013-05-09 Thread Richard Guy Briggs
On Thu, May 09, 2013 at 09:29:18AM -0400, Steve Grubb wrote: On Tuesday, April 16, 2013 03:38:23 PM Richard Guy Briggs wrote: On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: Andrew Morton a...@linux-foundation.org writes: On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

2013-05-09 Thread Richard Guy Briggs
On Thu, May 09, 2013 at 09:52:47AM -0400, Richard Guy Briggs wrote: On Thu, May 09, 2013 at 09:29:18AM -0400, Steve Grubb wrote: On Tuesday, April 16, 2013 03:38:23 PM Richard Guy Briggs wrote: On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: Andrew Morton a...@linux

[PATCH] audit: cast decimal constant for invalid uid to unsigned

2013-05-20 Thread Richard Guy Briggs
...@redhat.com Cc: Stephen Rothwell s...@canb.auug.org.au Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/uapi/linux/audit.h |2 ++ kernel/auditfilter.c |2 +- 2 files changed, 3 insertions(+), 1 deletions(-) diff --git a/include/uapi

Re: [PATCH 1/7] audit: implement generic feature setting and retrieving

2013-05-30 Thread Richard Guy Briggs
that occured to me for the audit_tty_status structure, when I implemented the password logging switch... Signed-off-by: Eric Paris epa...@redhat.com - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada

Re: [Pam-developers] [PATCH] pam_tty_audit: add an option to control logging of passwords: log_passwd

2013-06-11 Thread Richard Guy Briggs
On Mon, Jun 10, 2013 at 04:59:37PM -0400, Richard Guy Briggs wrote: On Wed, Jun 05, 2013 at 02:54:09AM +0400, Dmitry V. Levin wrote: On Thu, May 23, 2013 at 10:29:59AM -0400, Richard Guy Briggs wrote: Most commands are entered one line at a time and processed as complete lines in non

Re: Pam_tty_audit and passwords

2013-06-17 Thread Richard Guy Briggs
to answer questions about RHEL6 as well. That discussion and review of that patch is on the pam-develop...@lists.fedorahosted.org list. Thanks, J - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice

Re: auditd compilation..

2013-06-27 Thread Richard Guy Briggs
to fix it, which I'm about to submit, but I just have to verify it. I am also in the process of backporting the original patch with fix to rhel6.5. Regards, Shinoj. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote

Re: [PATCH] audit: audit on the future execution of a binary.

2013-07-03 Thread Richard Guy Briggs
; + break; + } + } + } + break; case AUDIT_UID: result = audit_comparator(cred-uid, f-op, f-val); break; -- 1.7.7.3 - RGB -- Richard Guy Briggs rbri

[PATCH] audit: update AUDIT_INODE filter rule to comparator function

2013-07-04 Thread Richard Guy Briggs
It appears this one comparison function got missed in f368c07d (and 9c937dcc). Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3c8a601..cb23f7d 100644

Re: [PATCH] audit: audit on the future execution of a binary.

2013-07-08 Thread Richard Guy Briggs
On Sun, Jul 07, 2013 at 03:41:41PM -0700, Peter Moody wrote: On Wed, Jul 03 2013 at 19:48, Richard Guy Briggs wrote: On Thu, Aug 23, 2012 at 12:24:00PM -0700, Peter Moody wrote: This adds the ability audit the actions of a not-yet-running process, as well as the children of a not-yet

[PATCH] audit: listen in all network namespaces

2013-07-16 Thread Richard Guy Briggs
Convert audit from only listening in init_net to use register_pernet_subsys() to dynamically manage the netlink socket list. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 64 ++- kernel/audit.h |4 +++ 2 files

[PATCH] audit: restore order of tty and ses fields in log output

2013-07-16 Thread Richard Guy Briggs
Guy Briggs r...@redhat.com --- kernel/audit.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..63b2dd5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1590,7 +1590,7 @@ void audit_log_task_info(struct audit_buffer *ab

[PATCH] kaudit: prevent an older auditd shutdown from orphaning a newer auditd startup

2013-07-17 Thread Richard Guy Briggs
that specific case, returning an error of EACCES. The case for preventing a newer auditd from registering itself if there is an existing auditd is a more difficult case that is beyond the scope of this patch. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 ++ 1 files changed

Re: [PATCH] audit: listen in all network namespaces

2013-07-19 Thread Richard Guy Briggs
On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote: Hi, Richard On 07/17/2013 04:32 AM, Richard Guy Briggs wrote: Convert audit from only listening in init_net to use register_pernet_subsys() to dynamically manage the netlink socket list. Signed-off-by: Richard Guy Briggs r

Re: [PATCH] audit: listen in all network namespaces

2013-07-30 Thread Richard Guy Briggs
On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote: On 07/20/2013 05:15 AM, Richard Guy Briggs wrote: On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote: Hi, Richard On 07/17/2013 04:32 AM, Richard Guy Briggs wrote: Convert audit from only listening in init_net to use

Re: [PATCH] audit: printk USER_AVC messages when audit isn't enabled

2013-08-20 Thread Richard Guy Briggs
/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com

[PATCH 08/12] audit: anchor all pid references in the initial pid namespace

2013-08-21 Thread Richard Guy Briggs
. Cc: Eric W. Biederman ebied...@xmission.com (informed by ebiederman's c776b5d2) Signed-off-by: Richard Guy Briggs r...@redhat.com --- drivers/tty/tty_audit.c |3 ++- kernel/audit.c | 15 ++- kernel/auditfilter.c | 17

[PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

2013-08-21 Thread Richard Guy Briggs
This stops these four task helper functions from using the deprecated and error-prone task-pid and task-tgid. (informed by ebiederman's ea5a4d01) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h |8 1 files

[PATCH 00/12] RFC: steps to make audit pid namespace-safe

2013-08-21 Thread Richard Guy Briggs
it. Discuss. Eric W. Biederman (5): audit: Kill the unused struct audit_aux_data_capset audit: Simplify and correct audit_log_capset Richard Guy Briggs (7): audit: fix netlink portid naming and types pid: get ppid pid_t of task in init_pid_ns safely audit: convert PPIDs to the inital PID

[PATCH 12/12] pid: mark struct task const in helper functions

2013-08-21 Thread Richard Guy Briggs
It doesn't make any sense to recallers to pass in a non-const struct task so update the function signatures to only require a const struct task. (informed by ebiederman's c76b2526) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux

[PATCH 10/12] pid: modify task_tgid_nr to work without task-tgid.

2013-08-21 Thread Richard Guy Briggs
task-tgid is an error prone construct and results in duplicate maintenance. Start it's demise by modifying task_tgid_nr to not use it. Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h |2 +- 1 files changed, 1 insertions

[PATCH 01/12] audit: Kill the unused struct audit_aux_data_capset

2013-08-21 Thread Richard Guy Briggs
From: Eric W. Biederman ebied...@xmission.com Signed-off-by: Eric W. Biederman ebied...@xmission.com (cherry picked from commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7) Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |6 -- 1 files changed, 0 insertions(+), 6

[PATCH 03/12] pid: get ppid pid_t of task in init_pid_ns safely

2013-08-21 Thread Richard Guy Briggs
to the child process' pid namespace. (informed by ebiederman's 6c621b7e) Cc: sta...@vger.kernel.org Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h | 23 +++ 1 files changed, 23 insertions(+), 0 deletions

[PATCH 07/12] audit: store audit_pid as a struct pid pointer

2013-08-21 Thread Richard Guy Briggs
into the initial pid namespace for reports (informed by ebiederman's 5bf431da) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 25 +++-- kernel/audit.h |4 ++-- kernel/auditsc.c |6 +++--- 3 files changed

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

2013-08-22 Thread Richard Guy Briggs
On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote: On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote: This stops these four task helper functions from using the deprecated and error-prone task-pid and task-tgid. (informed by ebiederman's ea5a4d01) Cc: Eric

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

2013-08-26 Thread Richard Guy Briggs
On Fri, Aug 23, 2013 at 08:36:21AM +0200, Peter Zijlstra wrote: On Thu, Aug 22, 2013 at 05:43:47PM -0400, Richard Guy Briggs wrote: On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote: On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote: This stops these four

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

2013-08-26 Thread Richard Guy Briggs
On Fri, Aug 23, 2013 at 09:28:07PM +0200, Oleg Nesterov wrote: On 08/22, Richard Guy Briggs wrote: On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote: Why would you ever want to do this? It just makes these tests more expensive for no gain what so ff'ing ever. Backups

Re: [PATCH 03/12] pid: get ppid pid_t of task in init_pid_ns safely

2013-08-30 Thread Richard Guy Briggs
On Tue, Aug 27, 2013 at 07:21:55PM +0200, Oleg Nesterov wrote: On 08/20, Richard Guy Briggs wrote: Added the functions task_ppid() task_ppid_nr_ns() task_ppid_nr_init_ns() to safely abstract the lookup of the PPID but it is not safe. +static inline

audit looks unmaintained? [was: Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid]

2013-08-30 Thread Richard Guy Briggs
are on linux-audit@redhat.com list. Oleg. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit

Re: [PATCH 03/12] pid: get ppid pid_t of task in init_pid_ns safely

2013-09-03 Thread Richard Guy Briggs
On Fri, Aug 30, 2013 at 01:37:09PM -0700, John Johansen wrote: On 08/30/2013 12:56 PM, Richard Guy Briggs wrote: On Tue, Aug 27, 2013 at 07:21:55PM +0200, Oleg Nesterov wrote: On 08/20, Richard Guy Briggs wrote: Most of the instances are current, but the one called from apparmour

Re: user message limits

2013-09-17 Thread Richard Guy Briggs
-- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo

[PATCH] audit: format user messages to size of MAX_AUDIT_MESSAGE_LENGTH

2013-09-17 Thread Richard Guy Briggs
-by: Justin Stephenson jstep...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..939cff1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -715,7 +715,7

[PATCH] audit: remove newline accidentally added during session id helper refactor

2013-09-18 Thread Richard Guy Briggs
A newline was accidentally added during session ID helper refactorization in commit 4d3fb709. This needlessly uses up buffer space, messes up syslog formatting and makes userspace processing less efficient. Remove it. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2

spurious \n in session id helper [was: Re: user message limits]

2013-09-18 Thread Richard Guy Briggs
On Wed, Sep 18, 2013 at 10:25:57AM -0400, Steve Grubb wrote: On Tuesday, September 17, 2013 10:25:23 PM Richard Guy Briggs wrote: On Tue, Sep 17, 2013 at 02:10:19PM -0400, Steve Grubb wrote: and then session information: audit_log_format(ab, auid=%u ses=%u\n, auid, sessionid); which

[PATCH 1/8] audit: avoid soft lockup due to audit_log_start() incorrect loop termination

2013-09-18 Thread Richard Guy Briggs
Khlebnikov khlebni...@openvz.org Signed-off-by: Dan Duval dan.du...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel

[PATCH 4/8] audit: efficiency fix 1: only wake up if queue shorter than backlog limit

2013-09-18 Thread Richard Guy Briggs
...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 42c68db..25fab2d 100644 --- a/kernel/audit.c

[PATCH 3/8] audit: make use of remaining sleep time from wait_for_auditd

2013-09-18 Thread Richard Guy Briggs
If wait_for_auditd() times out, go immediately to the error function rather than retesting the loop conditions. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 12 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c

[PATCH 6/8] audit: add boot option to override default backlog limit

2013-09-18 Thread Richard Guy Briggs
the lost messages without compiling a new kernel. This patch adds a boot option (audit already has one to enable/disable it) audit_backlog_limit=n that overrides the default to allow the system administrator to set the backlog limit. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel

[PATCH 2/8] audit: reset audit backlog wait time after error recovery

2013-09-18 Thread Richard Guy Briggs
-by: Luiz Capitulino lcapitul...@redhat.com Signed-off-by: Dan Duval dan.du...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/kernel

[PATCH 0/8] Audit backlog queue fixes related to soft lockup

2013-09-18 Thread Richard Guy Briggs
and 8th are to add a config option to make the backlog wait time configurable from the hard-coded default. Richard Guy Briggs (8): audit: avoid soft lockup due to audit_log_start() incorrect loop termination audit: reset audit backlog wait time after error recovery audit: make use

[PATCH 5/8] audit: efficiency fix 2: request exclusive wait since all need same resource

2013-09-18 Thread Richard Guy Briggs
://lkml.org/lkml/2013/9/2/479 Signed-off-by: Dan Duval dan.du...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel

Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option

2013-09-19 Thread Richard Guy Briggs
On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote: On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote: reaahead-collector abuses the audit logging facility to discover which files are accessed at boot time to make a pre-load list Add a tuning option

Re: [PATCH] Audit: remove duplicate comments

2013-09-23 Thread Richard Guy Briggs
-- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo

Re: [PATCH 7/8] audit: clean up AUDIT_GET/SET local variables and future-proof API

2013-09-23 Thread Richard Guy Briggs
On Fri, Sep 20, 2013 at 10:47:50AM -0400, Eric Paris wrote: On Thu, 2013-09-19 at 17:18 -0400, Steve Grubb wrote: On Wednesday, September 18, 2013 03:06:52 PM Richard Guy Briggs wrote: Re-named confusing local variable names (status_set and status_get didn't agree with their command type

Re: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests

2013-09-30 Thread Richard Guy Briggs
; status_set.pid = audit_pid; -- 1.7.10.4 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice

Re: [PATCH 2/2] audit: use nlmsg_len() to get message payload length

2013-09-30 Thread Richard Guy Briggs
) || (s.log_passwd != 0 s.log_passwd != 1)) return -EINVAL; -- 1.7.10.4 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER

[PATCH] audit: update AUDIT_INODE filter rule to comparator function

2013-10-08 Thread Richard Guy Briggs
It appears this one comparison function got missed in f368c07d (and 9c937dcc). Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 63223d6..065c7a1 100644

Re: [PATCH] audit: change pid to portid for audit_reply

2013-10-23 Thread Richard Guy Briggs
(audit_send_reply_thread, reply, audit_send_reply); -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems

Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop

2013-10-23 Thread Richard Guy Briggs
) + gfp_mask = ~__GFP_WAIT; + else + reserve = 0; + } while (audit_backlog_limit skb_queue_len(audit_skb_queue) audit_backlog_limit + reserv - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel

Re: [PATCH] audit: Add cmdline to taskinfo output

2013-10-24 Thread Richard Guy Briggs
- RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman

Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop

2013-10-24 Thread Richard Guy Briggs
On Thu, Oct 24, 2013 at 01:55:37PM +0800, Gao feng wrote: On 10/24/2013 03:55 AM, Richard Guy Briggs wrote: On Tue, Oct 15, 2013 at 02:30:34PM +0800, Gao feng wrote: Hi Toshiyuki-san, Toshiuki and Gao, On 10/15/2013 12:43 PM, Toshiyuki Okajima wrote: The backlog cannot be consumed

Re: [PATCH] audit: remove useless code in audit_enable

2013-10-25 Thread Richard Guy Briggs
(until reboot)); return 1; } - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit

Re: [PATCH] audit: Add cmdline to taskinfo output

2013-10-28 Thread Richard Guy Briggs
be a dynamic on/off setting, which brings me to my question, of: What is the status of E.Paris's generic feature set/get patches fare? This is a great use case for those. I've queued his patchset for linux-next to be pushed just after v3.12 release. - RGB -- Richard Guy Briggs rbri

Re: [PATCH] audit: Add cmdline to taskinfo output

2013-10-28 Thread Richard Guy Briggs
On Mon, Oct 28, 2013 at 12:02:42PM -0700, William Roberts wrote: On Mon, Oct 28, 2013 at 9:30 AM, William Roberts bill.c.robe...@gmail.comwrote: On Mon, Oct 28, 2013 at 8:10 AM, Richard Guy Briggs r...@redhat.comwrote: On Mon, Oct 28, 2013 at 06:48:48AM -0700, William Roberts wrote

Re: Format specifier issue when building kernel

2013-10-28 Thread Richard Guy Briggs
. William C Roberts - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https

[PATCH 1/3] audit: Kill the unused struct audit_aux_data_capset

2013-10-30 Thread Richard Guy Briggs
From: Eric W. Biederman ebied...@xmission.com Signed-off-by: Eric W. Biederman ebied...@xmission.com (cherry picked from commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7) (cherry picked from commit 2b3a6c617396a9e6eedae9a56b2d9642da0216b6) --- kernel/auditsc.c |6 -- 1 files changed, 0

[PATCH 2/3] audit: remove unused envc member of audit_aux_data_execve

2013-10-30 Thread Richard Guy Briggs
Get rid of write-only audit_aux_data_exeve structure member envc. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 24047f4..c9abaa0 100644 --- a/kernel

[PATCH 0/3] audit: Tidy up audit_context and stop bprm recursion

2013-10-30 Thread Richard Guy Briggs
This patchset is a clean up of the audit_aux_data and audit_context structures and the audit_bprm() call that was needlessly recursing, allocating more resources than necessary. Eric W. Biederman (1): audit: Kill the unused struct audit_aux_data_capset Richard Guy Briggs (2): audit: remove

[PATCH 3/3] audit: call audit_bprm() only once to add AUDIT_EXECVE information

2013-10-30 Thread Richard Guy Briggs
...@redhat.com Cc: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/exec.c |5 + include/linux/audit.h | 13 + kernel/audit.h|3 +++ kernel/auditsc.c | 41 ++--- 4 files

Re: [PATCH v2] audit: remove useless code in audit_enable

2013-10-31 Thread Richard Guy Briggs
? + enabled (after initialization) : disabled (until reboot)); return 1; } -- 1.8.3.1 - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81

[PATCH 0/4][v2] audit: Tidy up audit_context and stop bprm recursion

2013-10-31 Thread Richard Guy Briggs
This patchset is a clean up of the audit_aux_data and audit_context structures and the audit_bprm() call that was needlessly recursing, allocating more resources than necessary. Eric W. Biederman (1): audit: Kill the unused struct audit_aux_data_capset Richard Guy Briggs (3): audit: remove

[PATCH 1/4][v2] audit: Kill the unused struct audit_aux_data_capset

2013-10-31 Thread Richard Guy Briggs
From: Eric W. Biederman ebied...@xmission.com Signed-off-by: Eric W. Biederman ebied...@xmission.com (cherry picked from commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7) (cherry picked from commit 2b3a6c617396a9e6eedae9a56b2d9642da0216b6) --- kernel/auditsc.c |6 -- 1 files changed, 0

[PATCH 3/4][v2] audit: move audit_aux_data_execve contents into audit_context union

2013-10-31 Thread Richard Guy Briggs
on a kmalloc along the way. Reported-by: Oleg Nesterov onest...@redhat.com Cc: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |4 ++-- kernel/audit.h|4 kernel/auditsc.c | 41

[PATCH 4/4][v2] audit: call audit_bprm() only once to add AUDIT_EXECVE information

2013-10-31 Thread Richard Guy Briggs
(). audit_bprm() was being called to add an AUDIT_EXECVE record to the audit context every time search_binary_handler() was recursively called. Only one reference is necessary. Reported-by: Oleg Nesterov onest...@redhat.com Cc: Eric Paris epa...@redhat.com Signed-off-by: Richard Guy Briggs r

Re: [PATCH] audit: Add cmdline to taskinfo output

2013-10-31 Thread Richard Guy Briggs
but Richard Briggs suggested making it a dynamic feature and I was pretty ok with that. Ok, so how about both fields are always present, but have some keyword that is printed that indicates it is a duplicate of the other field? Something like cmdline=(comm) William C Roberts - RGB -- Richard Guy Briggs

[PATCH 2/4][v2] audit: remove unused envc member of audit_aux_data_execve

2013-10-31 Thread Richard Guy Briggs
Get rid of write-only audit_aux_data_exeve structure member envc. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 24047f4..c9abaa0 100644 --- a/kernel

Re: Format specifier issue when building kernel

2013-10-31 Thread Richard Guy Briggs
On Mon, Oct 28, 2013 at 08:55:08PM -0700, William Roberts wrote: On Mon, Oct 28, 2013 at 6:43 PM, William Roberts bill.c.robe...@gmail.comwrote: On Mon, Oct 28, 2013 at 6:35 PM, Richard Guy Briggs r...@redhat.comwrote: On Mon, Oct 28, 2013 at 04:31:30PM -0700, William Roberts wrote

Re: Format specifier issue when building kernel

2013-11-01 Thread Richard Guy Briggs
); - else { + } else { int size; audit_log_format(ab, data=); - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa

Re: Format specifier issue when building kernel

2013-11-01 Thread Richard Guy Briggs
On Fri, Nov 01, 2013 at 12:34:55PM -0400, Steve Grubb wrote: On Friday, November 01, 2013 12:24:55 PM Richard Guy Briggs wrote: On Thu, Oct 31, 2013 at 12:25:55PM -0700, William Roberts wrote: + if (msg_type != AUDIT_USER_TTY) { + char

Re: Format specifier issue when building kernel

2013-11-01 Thread Richard Guy Briggs
On Fri, Nov 01, 2013 at 12:38:15PM -0400, Richard Guy Briggs wrote: On Fri, Nov 01, 2013 at 12:34:55PM -0400, Steve Grubb wrote: On Friday, November 01, 2013 12:24:55 PM Richard Guy Briggs wrote: On Thu, Oct 31, 2013 at 12:25:55PM -0700, William Roberts wrote: +char usermsg_format[64

Re: [PATCH 5/5] audit: change the type of oldloginuid from kuid_t to unsigned long

2013-11-01 Thread Richard Guy Briggs
oldsessionid; int rc; oldloginuid = audit_get_loginuid(current); -- 1.8.3.1 - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt

Re: [PATCH 1/7] audit: implement generic feature setting and retrieving

2013-11-02 Thread Richard Guy Briggs
!= AUDIT_USER_AVC) Can I assume that the removal of the AUDIT_USER case line was accidental? It has broken USER type AUDIT messages. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice

Re: [PATCH v2] audit: fix incorrect type of sessionid

2013-11-02 Thread Richard Guy Briggs
; + kuid_t oldloginuid; + unsigned int oldsessionid; int rc; oldloginuid = audit_get_loginuid(current); -- 1.8.3.1 - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada

Re: [RFC Part1 PATCH 00/20 v2] Add namespace support for audit

2013-11-05 Thread Richard Guy Briggs
-- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman

Re: [PATCH] Dropped audit_log_abend()

2013-11-11 Thread Richard Guy Briggs
); if (unlikely(!ab)) return; - audit_log_abend(ab, memory violation, signr); + audit_log_task(ab); + audit_log_format(ab, sig=%ld, signr); audit_log_end(ab); } - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base

Re: proposing [PATCH] audit: get rid of *NO* daemon at audit_pid=0 message

2013-11-11 Thread Richard Guy Briggs
); + audit_log_lost(auditd disappeared\n); + audit_pid = 0; + } /* we might get lucky and get this in the next auditd */ audit_hold_skb(skb); } else -- 1.8.3.1 Is this ok? Thanks, - RGB -- Richard Guy Briggs rbri...@redhat.com

logging changes in tty logging status

2013-11-13 Thread Richard Guy Briggs
Hi Steve, I'm reviewing audit_receive_msg() and noticing that the AUDIT_TTY_SET case doesn't log a configuration change. Should it? - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice

Re: logging changes in tty logging status

2013-11-14 Thread Richard Guy Briggs
On Wed, Nov 13, 2013 at 03:22:49PM -0500, Steve Grubb wrote: On Wednesday, November 13, 2013 03:04:18 PM Richard Guy Briggs wrote: Hi Steve, I'm reviewing audit_receive_msg() and noticing that the AUDIT_TTY_SET case doesn't log a configuration change. Should it? Yes, it should. Any

Re: [PATCH 1/2] audit: Allow auditing of proc/self/cmdline value

2013-11-19 Thread Richard Guy Briggs
-comm)]; @@ -1179,6 +1211,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk } up_read(mm-mmap_sem); } + audit_log_add_cmdline(ab, tsk); audit_log_task_context(ab); } -- 1.7.9.5 - RGB -- Richard Guy

  1   2   3   4   5   6   7   8   9   10   >