dit, losing fields.
Use get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm.
Tetsuo Handa
Signed-off-by: Richard Guy Briggs
---
I've manually checked for locking issues and found none. I've
On 14/03/27, Stephen Smalley wrote:
> On 03/27/2014 01:20 PM, Richard Guy Briggs wrote:
> > On 14/03/12, James Morris wrote:
> >> On Tue, 11 Mar 2014, Tetsuo Handa wrote:
> >>
> >>> And the same phrase goes to James Morris...
> >>>
> >>&
open_arg() was added in commit 55669bfa "audit: AUDIT_PERM support"
and never used. Remove it.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |8
1 files changed, 0 insertions(+), 8 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e1744
Convert audit_log() call to WARN_ONCE().
Rename "type=" to nlmsg_type=" to avoid confusion with the audit record
type.
Added "protocol=" to help track down which protocol (NETLINK_AUDIT?) was used
within the netlink protocol family.
Signed-off-by: Richard Guy Brig
Restructure to keyword=value pairs without spaces. Drop superfluous words in
text. Make invalid_context a keyword. Change result= keyword to seresult=.
Signed-off-by: Richard Guy Briggs
---
security/selinux/ss/services.c | 14 --
1 files changed, 8 insertions(+), 6 deletions
t; mutex_lock(&dir->d_inode->i_mutex);
> >> - error = lookup_open(nd, path, file, op, got_write, opened);
> >> + error = lookup_open(nd, path, file, op, got_write, opened, name);
> >> mutex_unlock(&dir->d_inode->i_mutex);
> >>
>
: exit,never auid=-1 (0x) syscall=all
Cc: sta...@vger.kernel.org # v3.10-rc1+
Signed-off-by: Richard Guy Briggs
---
kernel/auditfilter.c |7 +++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 40ed981..d0715a7 100644
On 14/08/28, Eric W. Biederman wrote:
> Richard Guy Briggs writes:
> > On 14/08/23, Eric W. Biederman wrote:
> >> Richard Guy Briggs writes:
> >>
> >> > Generate and assign a serial number per namespace instance since boot.
> >> >
> >>
8: ipip1@[unknown device in another namespace]:
> >> mtu 1480 qdisc noop state DOWN
> >>
> >> I think this outcome is mandatory if netns 1 lives in a subsidiary
> >> user namespace.
> >
> > Yes.
> >
> >
> >>
> >> Certa
-paste-eo in commit b0fed40.
Reported-by: Steve Grubb
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index d20f00f..3a80abb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -724,7 +724,7
ename several "watch" references to "mark".
RGB: Rename audit_remove_rule() to audit_remove_mark_rule().
RGB: Let audit_free_rule() take care of calling audit_remove_mark().
Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
---
kernel/Makefile |2 +-
kerne
Make this interface consistent with watch and filter key, avoiding the extra
string copy and simply consume the new string pointer.
Signed-off-by: Richard Guy Briggs
---
kernel/audit_exe.c |5 -
kernel/audit_fsnotify.c | 12 ++--
kernel/auditfilter.c|2 +-
3 files
tinue to
work.
RGB: Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |2 +-
kernel/audit.h | 34 +++---
kernel/audit_exe.c |
tml
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit
moment, this
patch works.
Based-on-user-interface-by: Richard Guy Briggs
Cc: r...@redhat.com
Based-on-idea-by: Peter Moody
Cc: pmo...@google.com
Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |1 +
include/uapi/linux/audit.h |2 +
kernel/Makefile
On 14/08/23, Eric W. Biederman wrote:
> Richard Guy Briggs writes:
>
> > Generate and assign a serial number per namespace instance since boot.
> >
> > Use a serial number per namespace (unique across one boot of one kernel)
> > instead of the inode number (which is
On 14/08/24, Andy Lutomirski wrote:
> On Thu, Aug 21, 2014 at 6:58 PM, Richard Guy Briggs wrote:
> > On 14/08/21, Andy Lutomirski wrote:
> >> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote:
> >> > Expose the namespace instace serial numbers in the p
On 14/08/21, Andy Lutomirski wrote:
> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote:
> > Expose the namespace instace serial numbers in the proc filesystem at
> > /proc//ns/_snum. The link text gives the serial number in hex.
>
> What's the use ca
On 14/08/21, Aristeu Rozanski wrote:
> Hi Richard,
Hi Aris,
> On Wed, Aug 20, 2014 at 09:09:33PM -0400, Richard Guy Briggs wrote:
> > Is there a way to link serial numbers of namespaces involved in migration
> > of a
> > container to another kernel? It sounds like what
On 14/08/21, Andy Lutomirski wrote:
> On Thu, Aug 21, 2014 at 2:28 PM, Richard Guy Briggs wrote:
> > On 14/08/21, Andy Lutomirski wrote:
> >> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote:
> >> >
> >> > Generate and assi
On 14/08/21, Andy Lutomirski wrote:
> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote:
> >
> > Generate and assign a serial number per namespace instance since boot.
> >
> > Use a serial number per namespace (unique across one boot of one kernel)
>
---
Documentation/filesystems/proc.txt | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/Documentation/filesystems/proc.txt
b/Documentation/filesystems/proc.txt
index ddc531a..c4bfd6f 100644
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesy
Suggested-by: Serge E. Hallyn
Signed-off-by: Richard Guy Briggs
---
fs/proc/namespaces.c | 33 +
1 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
index 8902609..e953e0a 100644
--- a/fs/proc/namespace
Expose the namespace instance serial number for each namespace type in the proc
namespace operations structure to make it available for the proc filesystem.
Signed-off-by: Richard Guy Briggs
---
fs/namespace.c |7 +++
include/linux/proc_ns.h |1 +
ipc/namespace.c
The audit subsystem should be initialized a bit earlier so that it is in place
in time for initial namespace serial number logging.
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 6d95d1c..aa99518 100644
--- a/kerne
) to
uniquely identify it per kernel boot.
Signed-off-by: Richard Guy Briggs
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h|8
include/linux/pid_namespace.h |1 +
include
format would look something like:
type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1
pidns=4 userns=3 mntns=5
The serial numbers are printed in hex.
Suggested-by: Aristeu Rozanski
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h
Expose ns_entries so subsystems other than proc can use this set of namespace
operations.
Signed-off-by: Richard Guy Briggs
---
fs/proc/namespaces.c|2 +-
include/linux/proc_ns.h |1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc
y: Richard Guy Briggs
---
fs/namespace.c | 12 +++
include/linux/audit.h |8 +++
include/uapi/linux/audit.h | 12 +++
ipc/namespace.c| 10 +
kernel/audit.c | 47
kernel/pid_n
_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit. *However*, the addition of the
proc//ns/*_snum does make it available to other processes now.
Richard Guy Briggs (8):
namespaces: assign each namespace instance a serial number
namespaces: expose
On 14/08/19, Eric W. Biederman wrote:
> Richard Guy Briggs writes:
>
> > On 14/05/20, Richard Guy Briggs wrote:
> >> On 14/05/20, Eric Paris wrote:
> >> > On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
> >> > > The purpose is to trac
On 14/05/20, Richard Guy Briggs wrote:
> On 14/05/20, Eric Paris wrote:
> > On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
> > > The purpose is to track namespaces in use by logged processes from the
> > > perspective of init_*_ns.
(Including the Linux AP
to BPF.
A new ARCH definition, AUDIT_ARCH_X86_X32, was added for syscall_get_arch().
Cc: Paul Moore
Cc: Eric Paris
Cc: Al Viro
Cc: Will Drewry
Cc: H. Peter Anvin
Signed-off-by: Richard Guy Briggs
Link: http://lkml.kernel.org/r/cover.1405023592.git@redhat.com
Richard Guy Briggs (3
Add a definition for 32-bit native system calls under 64-bit x86 architectures.
This is distict from 32-bit emulation under 64-bit x86 architectures.
Cc: Paul Moore
Cc: Eric Paris
Cc: Al Viro
Cc: Will Drewry
Cc: H. Peter Anvin
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux
satisfy other regular users of syscall_get_nr() and syscall_get_arch()
without changing the seccomp interface to BPF.
Cc: Paul Moore
Cc: Eric Paris
Cc: Al Viro
Cc: Will Drewry
Cc: H. Peter Anvin
Signed-off-by: Richard Guy Briggs
Link: http://lkml.kernel.org/r/cover.1405023592.git
with reverting 8b4b9f2 should satisfy other regular users of
syscall_get_nr() without changing the seccomp interface to BPF.
Cc: Paul Moore
Cc: Eric Paris
Cc: Al Viro
Cc: Will Drewry
Cc: H. Peter Anvin
Signed-off-by: Richard Guy Briggs
Link: http://lkml.kernel.org/r/cover.1405023592.git
On 14/06/17, Mimi Zohar wrote:
> On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote:
> > Replace spaces in op keyword labels in log output since userspace audit
> > tools
> > can't parse orphaned keywords.
>
> The patch didn't apply cleanly to
The new- prefix on ses and auid are un-necessary and break ausearch.
Upstream-commit: aa589a1
Cc: sta...@vger.kernel.org # v3.14-rc1 to v3.14
Reported-by: Steve Grubb
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git
Eric Paris suggested lsm_str and lsm_rule could be added to this optimisation.
audit_free_rule needed a bit of re-factoring to accompish this, but nothing too
controversial.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |6 --
kernel/auditfilter.c | 27
On 14/06/17, Randy Dunlap wrote:
> On 06/16/14 12:48, Richard Guy Briggs wrote:
> > The index is correct, but there are two sections tagged 3.7. Fix.
> >
> > Signed-off-by: Richard Guy Briggs
>
> This seems to already be fixed by commit
> 49d063cb353265c3af701ba
Since there is already a primitive to do this operation in the atomic_t, use it
to simplify audit_serial().
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 14 ++
1 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 218899b
Since only one of val, uid and gid are used at any given time, combine them to
reduce the size of the struct audit_field.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |8 +---
kernel/auditfilter.c |2 --
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a
audit_log_fcaps() isn't used outside kernel/audit.c. Reduce its scope.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
kernel/audit.h |1 -
2 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index bdd0172..3225a5d 100644
audit_net_id isn't used outside kernel/audit.c. Reduce its scope.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 59c0bbe..bdd0172 100644
--- a/kernel/audit.c
+++ b/k
Replace spaces in op keyword labels in log output since userspace audit tools
can't parse orphaned keywords.
Reported-by: Steve Grubb
Signed-off-by: Richard Guy Briggs
---
security/integrity/ima/ima_appraise.c |2 +-
security/integrity/ima/ima_policy.c |6 +++---
2 files chang
The index is correct, but there are two sections tagged 3.7. Fix.
Signed-off-by: Richard Guy Briggs
---
Documentation/filesystems/proc.txt |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/Documentation/filesystems/proc.txt
b/Documentation/filesystems/proc.txt
index
On 14/06/14, Mimi Zohar wrote:
> On Sat, 2014-06-14 at 12:43 +0300, Dmitry Kasatkin wrote:
> > On 14 June 2014 03:02, Richard Guy Briggs wrote:
> > > On 14/04/02, Richard Guy Briggs wrote:
> > >> On 14/04/02, Mimi Zohar wrote:
> > >> > On Wed
On 14/04/02, Richard Guy Briggs wrote:
> On 14/04/02, Mimi Zohar wrote:
> > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote:
> > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote:
> > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote:
> > >
LAST_FEATURE + 1 >
> sizeof(audit_feature_names)/sizeof(audit_feature_names[0]));
> + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names));
> uaf = nlmsg_data(nlmsg_hdr(skb));
>
> /* if there is ever a version 2 we should handle that here */
&g
On 14/05/26, Michael Kerrisk (man-pages) wrote:
> Hi Richard
>
> On Mon, May 26, 2014 at 6:58 PM, Richard Guy Briggs wrote:
> > On 14/05/22, Michael Kerrisk wrote:
> >> Richard,
> >
> > Hi Michael,
> >
> >> On Tue, May 20, 2014 at 3:12 PM, Ric
On 14/05/22, Michael Kerrisk wrote:
> Richard,
Hi Michael,
> On Tue, May 20, 2014 at 3:12 PM, Richard Guy Briggs wrote:
> > The purpose is to track namespaces in use by logged processes from the
> > perspective of init_*_ns.
> >
> > 1/6 defines a function to
On 14/05/20, Eric Paris wrote:
> On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
> > The purpose is to track namespaces in use by logged processes from the
> > perspective of init_*_ns.
> >
> > 1/6 defines a function to generate them and assigns them.
>
stemd" netns=97 utsns=2 ipcns=1 pidns=4 userns=3
mntns=5 subj=system_u:system_r:init_t:s0 key=(null)
The serial numbers are printed in hex.
Suggested-by: Aristeu Rozanski
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h |7 +++
kernel/a
Expose ns_entries so subsystems other than proc can use this set of namespace
operations.
Signed-off-by: Richard Guy Briggs
---
fs/proc/namespaces.c|2 +-
include/linux/proc_ns.h |1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc
Expose the namespace instance serial number for each namespace type in the proc
namespace operations structure to make it available for the proc filesystem.
Signed-off-by: Richard Guy Briggs
---
fs/namespace.c |7 +++
include/linux/proc_ns.h |1 +
ipc/namespace.c
cloned.
The types are CLONE_NEW* listed in include/uapi/linux/sched.h.
Signed-off-by: Richard Guy Briggs
---
fs/namespace.c |4
include/linux/audit.h |8
include/uapi/linux/audit.h |2 ++
ipc/namespace.c| 10 ++
kernel/audit.c
Suggested-by: Serge E. Hallyn
Signed-off-by: Richard Guy Briggs
---
fs/proc/namespaces.c | 33 +
1 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
index 9ae46b8..57fce90 100644
--- a/fs/proc/namespace
) to
uniquely identify it per kernel boot.
Signed-off-by: Richard Guy Briggs
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h|8
include/linux/pid_namespace.h |1 +
include
in init_user_ns can get to this information in
the init namespace at the moment from audit. *However*, the addition of the
proc//ns/*_snum does make it available to other processes now.
Richard Guy Briggs (6):
namespaces: assign each namespace instance a serial number
namespaces: expose namespace
On 14/05/13, Richard Guy Briggs wrote:
> On 14/05/10, Eric Paris wrote:
> > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> > > Generate and assign a serial number per namespace instance since boot.
> > >
> > > Use a serial number per namespace (
On 14/05/10, Eric Paris wrote:
> On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> > Generate and assign a serial number per namespace instance since boot.
> >
> > Use a serial number per namespace (unique across one boot of one kernel)
> > instead of
On 14/05/10, Eric Paris wrote:
> On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
>
> Not so relevant because you delete all of this code later... But
> still...
>
> > +#ifdef CONFIG_NAMESPACES
> > +void audit_log_namespace_info(struct audit_buffer *ab, s
On 14/05/10, Eric Paris wrote:
> On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
> > Log the namespace serial numbers of a task in audit_log_task_info() which
> > is used by syscall audits, among others..
> >
> > Idea first presented:
> > http
by switching from an int to a long long.
Change rollover behaviour from simply avoiding zero to raising a BUG.
Expose serial numbers in /proc//ns/*_snum.
Expose ns_entries and use it in audit.
Richard Guy Briggs (6):
namespaces: assign each namespace instance a seria
Expose the namespace instance serial number for each namespace type in the proc
namespace operations structure to make it available for the proc filesystem.
Signed-off-by: Richard Guy Briggs
---
fs/namespace.c |7 +++
include/linux/proc_ns.h |1 +
ipc/namespace.c
Expose ns_entries so subsystems other than proc can use this set of namespace
operations.
Signed-off-by: Richard Guy Briggs
---
fs/proc/namespaces.c|2 +-
include/linux/proc_ns.h |1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc
Suggested-by: Serge E. Hallyn
Signed-off-by: Richard Guy Briggs
---
Although it works as expected, I'm not that happy with this patch because it
duplicates a lot of code, including minor changes to proc_ns_follow_link(),
proc_ns_readlink(), ns_dname() that will be harder to keep consistent. T
ns_entries])
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 43 ---
1 files changed, 12 insertions(+), 31 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index fe783ad..6452278 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -64,15
) to
uniquely identify it per kernel boot.
Signed-off-by: Richard Guy Briggs
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h|8
include/linux/pid_namespace.h |1 +
include
stemd" netns=97 utsns=2 ipcns=1 pidns=4 userns=3
mntns=5 subj=system_u:system_r:init_t:s0 key=(null)
The serial numbers are printed in hex.
Suggested-by: Aristeu Rozanski
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h |7 +++
kernel/a
ystem is going to have a unique identifier for each different sub
> container.
So what is a sub container? A nested container? We still want to track
component namespaces of each nested container.
> However, I have to point out that a serial number isn't what you want
> either if
ottom...@hansenpartnership.com):
> >> > > On Mon, 2014-05-05 at 17:48 -0400, Richard Guy Briggs wrote:
> >> > > > On 14/05/05, Serge E. Hallyn wrote:
> >> > > > > Quoting James Bottomley
> >(james.bottom...@hansenpartnership.com):
> >> &
On 14/05/05, Nicolas Dichtel wrote:
> Le 02/05/2014 16:28, Richard Guy Briggs a ?crit :
> >On 14/05/02, Serge E. Hallyn wrote:
> >>Quoting Richard Guy Briggs (r...@redhat.com):
> >>>I saw no replies to my questions when I replied a year after Aris'
> >
On 14/05/06, Serge Hallyn wrote:
> Quoting Richard Guy Briggs (r...@redhat.com):
> > On 14/05/03, James Bottomley wrote:
> > > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Briggs wrote:
> > > > Questions:
> > > > Is there a way to link serial numbers of
On 14/05/05, James Bottomley wrote:
> On Mon, 2014-05-05 at 17:48 -0400, Richard Guy Briggs wrote:
> > On 14/05/05, Serge E. Hallyn wrote:
> > > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Bri
On 14/05/05, Serge E. Hallyn wrote:
> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Briggs wrote:
> > > Questions:
> > > Is there a way to link serial numbers of namespaces involved in migration
&g
On 14/05/03, James Bottomley wrote:
> On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Briggs wrote:
> > Questions:
> > Is there a way to link serial numbers of namespaces involved in migration
> > of a
> > container to another kernel? (I had a brief look at CRI
On 14/05/02, Serge Hallyn wrote:
> Quoting Richard Guy Briggs (r...@redhat.com):
> > On 14/05/02, Serge E. Hallyn wrote:
> > > Quoting Richard Guy Briggs (r...@redhat.com):
> > > > I saw no replies to my questions when I replied a year after Aris'
> > &
On 14/05/02, Serge E. Hallyn wrote:
> Quoting Richard Guy Briggs (r...@redhat.com):
> > I saw no replies to my questions when I replied a year after Aris' posting,
> > so
> > I don't know if it was ignored or got lost in stale threads:
> > https://www
On 14/05/02, Serge E. Hallyn wrote:
> Quoting Richard Guy Briggs (r...@redhat.com):
>
> Most of this looks reasonable, but I'm curious about something,
>
> > +/**
> > + * ns_serial - compute a serial number for the namespace
> > + *
> > + * Compute a se
return -EPERM;
> err = netlink_realloc_groups(sk);
> if (err)
- RGB
--
Richard Guy Briggs
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 3263
On 14/04/22, David Miller wrote:
> From: Richard Guy Briggs
> Date: Fri, 18 Apr 2014 13:34:06 -0400
>
> > @@ -1449,6 +1453,26 @@ static int netlink_bind(struct socket *sock, struct
> > sockaddr *addr,
> > if (!nladdr->nl_groups && (nlk-
On 14/04/22, David Miller wrote:
> From: Richard Guy Briggs
> Date: Tue, 22 Apr 2014 21:31:52 -0400
>
> > This is a patch set Eric Paris and I have been working on to add a
> > restricted
> > capability read-only netlink multicast socket to kernel audit to enable
&g
restricted for integrity.
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |8 +++
kernel/audit.c | 51 ---
2 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/lin
Register a netlink per-protocol bind fuction for audit to check userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/capability.h |7 ++-
kernel/audit.c | 10 ++
security
Test first to see if there are any userspace multicast listeners bound to the
socket before starting the multicast send work.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index
Call the per-protocol unbind function rather than bind function on
NETLINK_DROP_MEMBERSHIP in netlink_setsockopt().
Signed-off-by: Richard Guy Briggs
---
net/netlink/af_netlink.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink
.html
https://lkml.org/lkml/2013/1/27/279
Please find source for a test program at:
http://people.redhat.com/rbriggs/audit-multicast-listen/
Richard Guy Briggs (6):
netlink: simplify nfnetlink_bind
netlink: have netlink per-protocol bind function return an error
Remove duplicity and simplify code flow by moving the rcu_read_unlock() above
the condition and let the flow control exit naturally at the end of the
function.
Signed-off-by: Richard Guy Briggs
---
net/netfilter/nfnetlink.c |7 ++-
1 files changed, 2 insertions(+), 5 deletions(-)
diff
could be denied before making them available, and to avoid
the messy job of undoing the addition should the per-protocol bind function
fail.
The netfilter subsystem seems to be the only one currently using the
per-protocol bind function.
Signed-off-by: Richard Guy Briggs
---
V1: This rev fixes a
influence the
master auditd. I echo Eric B's idea that messages destined for different
namespaces would have to be tailored for that namespace with references that
make sense (such as the right pid number reported to that pid namespace, and
not leaking info about parents or peers).
Richard Guy Brig
Assign a serial number per namespace since boot.
Signed-off-by: Richard Guy Briggs
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h|8
include/linux/pid_namespace.h |1
Log the namespace details of a task.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |7 +++
kernel/audit.c| 38 ++
2 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
ARCH: AUDIT: implement syscall_get_arch for all arches
>
> Signed-off-by: Stephen Rothwell
Looks good to me. Thanks.
Acked-by: Richard Guy Briggs
> ---
> arch/sparc/include/asm/syscall.h | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/sparc/include
Register a netlink per-protocol bind fuction for audit to check userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/capability.h |7 ++-
kernel/audit.c | 10 ++
security
Call the per-protocol unbind function rather than bind function on
NETLINK_DROP_MEMBERSHIP in netlink_setsockopt().
Signed-off-by: Richard Guy Briggs
---
net/netlink/af_netlink.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink
restricted for integrity.
Signed-off-by: Richard Guy Briggs
---
include/uapi/linux/audit.h |8 +++
kernel/audit.c | 51 ---
2 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/lin
Test first to see if there are any userspace multicast listeners bound to the
socket before starting the multicast send work.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index
http://people.redhat.com/rbriggs/audit-multicast-listen/
Richard Guy Briggs (6):
netlink: simplify nfnetlink_bind
netlink: have netlink per-protocol bind function return an error
code.
netlink: implement unbind to netlink_setsockopt
NETLINK_DROP_MEMBERSHIP
audit: add netlink audit protocol bi
Remove duplicity and simplify code flow by moving the rcu_read_unlock() above
the condition and let the flow control exit naturally at the end of the
function.
Signed-off-by: Richard Guy Briggs
---
net/netfilter/nfnetlink.c |7 ++-
1 files changed, 2 insertions(+), 5 deletions(-)
diff
801 - 900 of 1126 matches
Mail list logo