[PATCH] lsm: get comm using lock to avoid race in string printing

dit, losing fields. Use get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm. Tetsuo Handa Signed-off-by: Richard Guy Briggs --- I've manually checked for locking issues and found none. I've

Re: [PATCH] LSM: Pass comm name via get_task_comm() [was: Re: [PATCH] Change task_struct->comm to use RCU.]

On 14/03/27, Stephen Smalley wrote: > On 03/27/2014 01:20 PM, Richard Guy Briggs wrote: > > On 14/03/12, James Morris wrote: > >> On Tue, 11 Mar 2014, Tetsuo Handa wrote: > >> > >>> And the same phrase goes to James Morris... > >>> > >>&

[PATCH] audit: remove open_arg() function that is never used

open_arg() was added in commit 55669bfa "audit: AUDIT_PERM support" and never used. Remove it. Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c |8 1 files changed, 0 insertions(+), 8 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4e1744

[PATCH] selinux: hooks: cleanup orphan keywords in audit log text

Convert audit_log() call to WARN_ONCE(). Rename "type=" to nlmsg_type=" to avoid confusion with the audit record type. Added "protocol=" to help track down which protocol (NETLINK_AUDIT?) was used within the netlink protocol family. Signed-off-by: Richard Guy Brig

[PATCH] selinux: services: cleanup orphan keywords in audit log text

Restructure to keyword=value pairs without spaces. Drop superfluous words in text. Make invalid_context a keyword. Change result= keyword to seresult=. Signed-off-by: Richard Guy Briggs --- security/selinux/ss/services.c | 14 -- 1 files changed, 8 insertions(+), 6 deletions

Re: [PATCH] audit: vfs: fix audit records error when write to a file

t; mutex_lock(&dir->d_inode->i_mutex); > >> - error = lookup_open(nd, path, file, op, got_write, opened); > >> + error = lookup_open(nd, path, file, op, got_write, opened, name); > >> mutex_unlock(&dir->d_inode->i_mutex); > >> >

[PATCH] audit: restore AUDIT_LOGINUID unset ABI

: exit,never auid=-1 (0x) syscall=all Cc: sta...@vger.kernel.org # v3.10-rc1+ Signed-off-by: Richard Guy Briggs --- kernel/auditfilter.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 40ed981..d0715a7 100644

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/28, Eric W. Biederman wrote: > Richard Guy Briggs writes: > > On 14/08/23, Eric W. Biederman wrote: > >> Richard Guy Briggs writes: > >> > >> > Generate and assign a serial number per namespace instance since boot. > >> > > >>

Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

8: ipip1@[unknown device in another namespace]: > >> mtu 1480 qdisc noop state DOWN > >> > >> I think this outcome is mandatory if netns 1 lives in a subsidiary > >> user namespace. > > > > Yes. > > > > > >> > >> Certa

[PATCH] audit: correct AUDIT_GET_FEATURE return message type

-paste-eo in commit b0fed40. Reported-by: Steve Grubb Signed-off-by: Richard Guy Briggs --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index d20f00f..3a80abb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -724,7 +724,7

[PATCH V4 2/4] audit: clean simple fsnotify implementation

ename several "watch" references to "mark". RGB: Rename audit_remove_rule() to audit_remove_mark_rule(). RGB: Let audit_free_rule() take care of calling audit_remove_mark(). Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs --- kernel/Makefile |2 +- kerne

[PATCH V4 4/4] audit: avoid double copying the audit_exe path string

Make this interface consistent with watch and filter key, avoiding the extra string copy and simply consume the new string pointer. Signed-off-by: Richard Guy Briggs --- kernel/audit_exe.c |5 - kernel/audit_fsnotify.c | 12 ++-- kernel/auditfilter.c|2 +- 3 files

[PATCH V4 3/4] audit: convert audit_exe to audit_fsnotify

tinue to work. RGB: Put audit_alloc_mark() arguments in same order as watch, tree and inode. Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs --- include/linux/audit.h |2 +- kernel/audit.h | 34 +++--- kernel/audit_exe.c |

[PATCH V4 0/4] audit by executable name

tml v0: Peter Moodie's original patches https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html Next step: Get full-path notify working. Eric Paris (3): audit: implement audit by executable audit: clean simple fsnotify implementation audit: convert audit_exe to audit

[PATCH V4 1/4] audit: implement audit by executable

moment, this patch works. Based-on-user-interface-by: Richard Guy Briggs Cc: r...@redhat.com Based-on-idea-by: Peter Moody Cc: pmo...@google.com Signed-off-by: Eric Paris Signed-off-by: Richard Guy Briggs --- include/linux/audit.h |1 + include/uapi/linux/audit.h |2 + kernel/Makefile

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/23, Eric W. Biederman wrote: > Richard Guy Briggs writes: > > > Generate and assign a serial number per namespace instance since boot. > > > > Use a serial number per namespace (unique across one boot of one kernel) > > instead of the inode number (which is

Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

On 14/08/24, Andy Lutomirski wrote: > On Thu, Aug 21, 2014 at 6:58 PM, Richard Guy Briggs wrote: > > On 14/08/21, Andy Lutomirski wrote: > >> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote: > >> > Expose the namespace instace serial numbers in the p

Re: [PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

On 14/08/21, Andy Lutomirski wrote: > On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote: > > Expose the namespace instace serial numbers in the proc filesystem at > > /proc//ns/_snum. The link text gives the serial number in hex. > > What's the use ca

Re: [PATCH V4 0/8] namespaces: log namespaces per task

On 14/08/21, Aristeu Rozanski wrote: > Hi Richard, Hi Aris, > On Wed, Aug 20, 2014 at 09:09:33PM -0400, Richard Guy Briggs wrote: > > Is there a way to link serial numbers of namespaces involved in migration > > of a > > container to another kernel? It sounds like what

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/21, Andy Lutomirski wrote: > On Thu, Aug 21, 2014 at 2:28 PM, Richard Guy Briggs wrote: > > On 14/08/21, Andy Lutomirski wrote: > >> On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote: > >> > > >> > Generate and assi

Re: [PATCH V4 1/8] namespaces: assign each namespace instance a serial number

On 14/08/21, Andy Lutomirski wrote: > On Aug 20, 2014 8:12 PM, "Richard Guy Briggs" wrote: > > > > Generate and assign a serial number per namespace instance since boot. > > > > Use a serial number per namespace (unique across one boot of one kernel) >

[PATCH V4 4/8] Documentation: add a section for /proc//ns/

--- Documentation/filesystems/proc.txt | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index ddc531a..c4bfd6f 100644 --- a/Documentation/filesystems/proc.txt +++ b/Documentation/filesy

[PATCH V4 3/8] namespaces: expose ns instance serial numbers in proc

Suggested-by: Serge E. Hallyn Signed-off-by: Richard Guy Briggs --- fs/proc/namespaces.c | 33 + 1 files changed, 25 insertions(+), 8 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 8902609..e953e0a 100644 --- a/fs/proc/namespace

[PATCH V4 2/8] namespaces: expose namespace instance serial number in proc_ns_operations

Expose the namespace instance serial number for each namespace type in the proc namespace operations structure to make it available for the proc filesystem. Signed-off-by: Richard Guy Briggs --- fs/namespace.c |7 +++ include/linux/proc_ns.h |1 + ipc/namespace.c

[PATCH V4 8/8] audit: initialize at subsystem time rather than device time

The audit subsystem should be initialized a bit earlier so that it is in place in time for initial namespace serial number logging. --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 6d95d1c..aa99518 100644 --- a/kerne

[PATCH V4 1/8] namespaces: assign each namespace instance a serial number

) to uniquely identify it per kernel boot. Signed-off-by: Richard Guy Briggs --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h|8 include/linux/pid_namespace.h |1 + include

[PATCH V4 6/8] audit: log namespace serial numbers

format would look something like: type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 The serial numbers are printed in hex. Suggested-by: Aristeu Rozanski Signed-off-by: Richard Guy Briggs Acked-by: Serge Hallyn --- include/linux/audit.h

[PATCH V4 5/8] namespaces: expose ns_entries

Expose ns_entries so subsystems other than proc can use this set of namespace operations. Signed-off-by: Richard Guy Briggs --- fs/proc/namespaces.c|2 +- include/linux/proc_ns.h |1 + 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc

[PATCH V4 7/8] audit: log creation and deletion of namespace instances

y: Richard Guy Briggs --- fs/namespace.c | 12 +++ include/linux/audit.h |8 +++ include/uapi/linux/audit.h | 12 +++ ipc/namespace.c| 10 + kernel/audit.c | 47 kernel/pid_n

[PATCH V4 0/8] namespaces: log namespaces per task

_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. *However*, the addition of the proc//ns/*_snum does make it available to other processes now. Richard Guy Briggs (8): namespaces: assign each namespace instance a serial number namespaces: expose

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/08/19, Eric W. Biederman wrote: > Richard Guy Briggs writes: > > > On 14/05/20, Richard Guy Briggs wrote: > >> On 14/05/20, Eric Paris wrote: > >> > On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: > >> > > The purpose is to trac

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/05/20, Richard Guy Briggs wrote: > On 14/05/20, Eric Paris wrote: > > On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: > > > The purpose is to track namespaces in use by logged processes from the > > > perspective of init_*_ns. (Including the Linux AP

[PATCH 0/3] [RFC] X32: fix syscall_get_nr while not breaking seccomp BPF

to BPF. A new ARCH definition, AUDIT_ARCH_X86_X32, was added for syscall_get_arch(). Cc: Paul Moore Cc: Eric Paris Cc: Al Viro Cc: Will Drewry Cc: H. Peter Anvin Signed-off-by: Richard Guy Briggs Link: http://lkml.kernel.org/r/cover.1405023592.git@redhat.com Richard Guy Briggs (3

[PATCH 1/3] [RFC] audit: add AUDIT_ARCH_X86_X32 arch definition

Add a definition for 32-bit native system calls under 64-bit x86 architectures. This is distict from 32-bit emulation under 64-bit x86 architectures. Cc: Paul Moore Cc: Eric Paris Cc: Al Viro Cc: Will Drewry Cc: H. Peter Anvin Signed-off-by: Richard Guy Briggs --- include/uapi/linux

[PATCH 3/3] [RFC] Revert "x86: remove the x32 syscall bitmask from syscall_get_nr()"

satisfy other regular users of syscall_get_nr() and syscall_get_arch() without changing the seccomp interface to BPF. Cc: Paul Moore Cc: Eric Paris Cc: Al Viro Cc: Will Drewry Cc: H. Peter Anvin Signed-off-by: Richard Guy Briggs Link: http://lkml.kernel.org/r/cover.1405023592.git

[PATCH 2/3] [RFC] seccomp: give BPF x32 bit when restoring x32 filter

with reverting 8b4b9f2 should satisfy other regular users of syscall_get_nr() without changing the seccomp interface to BPF. Cc: Paul Moore Cc: Eric Paris Cc: Al Viro Cc: Will Drewry Cc: H. Peter Anvin Signed-off-by: Richard Guy Briggs Link: http://lkml.kernel.org/r/cover.1405023592.git

Re: [Linux-ima-user] [PATCH] audit: fix dangling keywords in integrity ima message output

On 14/06/17, Mimi Zohar wrote: > On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote: > > Replace spaces in op keyword labels in log output since userspace audit > > tools > > can't parse orphaned keywords. > > The patch didn't apply cleanly to

[PATCH] [STABLE] audit: remove superfluous new- prefix in AUDIT_LOGIN messages

The new- prefix on ses and auid are un-necessary and break ausearch. Upstream-commit: aa589a1 Cc: sta...@vger.kernel.org # v3.14-rc1 to v3.14 Reported-by: Steve Grubb Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git

[PATCH] fixup! audit: use union for audit_field values since they are mutually exclusive

Eric Paris suggested lsm_str and lsm_rule could be added to this optimisation. audit_free_rule needed a bit of re-factoring to accompish this, but nothing too controversial. Signed-off-by: Richard Guy Briggs --- include/linux/audit.h |6 -- kernel/auditfilter.c | 27

Re: [PATCH] Documentation: corrected sub-chapter number

On 14/06/17, Randy Dunlap wrote: > On 06/16/14 12:48, Richard Guy Briggs wrote: > > The index is correct, but there are two sections tagged 3.7. Fix. > > > > Signed-off-by: Richard Guy Briggs > > This seems to already be fixed by commit > 49d063cb353265c3af701ba

[PATCH] audit: use atomic_t to simplify audit_serial()

Since there is already a primitive to do this operation in the atomic_t, use it to simplify audit_serial(). Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 14 ++ 1 files changed, 2 insertions(+), 12 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 218899b

[PATCH] audit: use union for audit_field values since they are mutually exclusive

Since only one of val, uid and gid are used at any given time, combine them to reduce the size of the struct audit_field. Signed-off-by: Richard Guy Briggs --- include/linux/audit.h |8 +--- kernel/auditfilter.c |2 -- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a

[PATCH] audit: reduce scope of audit_log_fcaps

audit_log_fcaps() isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: Richard Guy Briggs --- kernel/audit.c |2 +- kernel/audit.h |1 - 2 files changed, 1 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index bdd0172..3225a5d 100644

[PATCH] audit: reduce scope of audit_net_id

audit_net_id isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: Richard Guy Briggs --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 59c0bbe..bdd0172 100644 --- a/kernel/audit.c +++ b/k

[PATCH] audit: fix dangling keywords in integrity ima message output

Replace spaces in op keyword labels in log output since userspace audit tools can't parse orphaned keywords. Reported-by: Steve Grubb Signed-off-by: Richard Guy Briggs --- security/integrity/ima/ima_appraise.c |2 +- security/integrity/ima/ima_policy.c |6 +++--- 2 files chang

[PATCH] Documentation: corrected sub-chapter number

The index is correct, but there are two sections tagged 3.7. Fix. Signed-off-by: Richard Guy Briggs --- Documentation/filesystems/proc.txt |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt index

Re: [Linux-ima-user] oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

On 14/06/14, Mimi Zohar wrote: > On Sat, 2014-06-14 at 12:43 +0300, Dmitry Kasatkin wrote: > > On 14 June 2014 03:02, Richard Guy Briggs wrote: > > > On 14/04/02, Richard Guy Briggs wrote: > > >> On 14/04/02, Mimi Zohar wrote: > > >> > On Wed

Re: oraphaned keywords in audit log text [was: Re: [PATCH] integrity: get comm using lock to avoid race in string] printing

On 14/04/02, Richard Guy Briggs wrote: > On 14/04/02, Mimi Zohar wrote: > > On Wed, 2014-04-02 at 14:18 -0400, Eric Paris wrote: > > > On Wed, 2014-04-02 at 14:12 -0400, Mimi Zohar wrote: > > > > On Wed, 2014-04-02 at 14:00 -0400, Steve Grubb wrote: > > >

Re: [PATCH 1/1] kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0]

LAST_FEATURE + 1 > > sizeof(audit_feature_names)/sizeof(audit_feature_names[0])); > + BUILD_BUG_ON(AUDIT_LAST_FEATURE + 1 > ARRAY_SIZE(audit_feature_names)); > uaf = nlmsg_data(nlmsg_hdr(skb)); > > /* if there is ever a version 2 we should handle that here */ &g

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/05/26, Michael Kerrisk (man-pages) wrote: > Hi Richard > > On Mon, May 26, 2014 at 6:58 PM, Richard Guy Briggs wrote: > > On 14/05/22, Michael Kerrisk wrote: > >> Richard, > > > > Hi Michael, > > > >> On Tue, May 20, 2014 at 3:12 PM, Ric

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/05/22, Michael Kerrisk wrote: > Richard, Hi Michael, > On Tue, May 20, 2014 at 3:12 PM, Richard Guy Briggs wrote: > > The purpose is to track namespaces in use by logged processes from the > > perspective of init_*_ns. > > > > 1/6 defines a function to

Re: [PATCH V3 0/6] namespaces: log namespaces per task

On 14/05/20, Eric Paris wrote: > On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: > > The purpose is to track namespaces in use by logged processes from the > > perspective of init_*_ns. > > > > 1/6 defines a function to generate them and assigns them. >

[PATCH V3 5/6] audit: log namespace serial numbers

stemd" netns=97 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 subj=system_u:system_r:init_t:s0 key=(null) The serial numbers are printed in hex. Suggested-by: Aristeu Rozanski Signed-off-by: Richard Guy Briggs Acked-by: Serge Hallyn --- include/linux/audit.h |7 +++ kernel/a

[PATCH V3 4/6] namespaces: expose ns_entries

Expose ns_entries so subsystems other than proc can use this set of namespace operations. Signed-off-by: Richard Guy Briggs --- fs/proc/namespaces.c|2 +- include/linux/proc_ns.h |1 + 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc

[PATCH V3 2/6] namespaces: expose namespace instance serial number in proc_ns_operations

Expose the namespace instance serial number for each namespace type in the proc namespace operations structure to make it available for the proc filesystem. Signed-off-by: Richard Guy Briggs --- fs/namespace.c |7 +++ include/linux/proc_ns.h |1 + ipc/namespace.c

[PATCH V3 6/6] audit: log creation and deletion of namespace instances

cloned. The types are CLONE_NEW* listed in include/uapi/linux/sched.h. Signed-off-by: Richard Guy Briggs --- fs/namespace.c |4 include/linux/audit.h |8 include/uapi/linux/audit.h |2 ++ ipc/namespace.c| 10 ++ kernel/audit.c

[PATCH V3 3/6] namespaces: expose ns instance serial numbers in proc

Suggested-by: Serge E. Hallyn Signed-off-by: Richard Guy Briggs --- fs/proc/namespaces.c | 33 + 1 files changed, 25 insertions(+), 8 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 9ae46b8..57fce90 100644 --- a/fs/proc/namespace

[PATCH V3 1/6] namespaces: assign each namespace instance a serial number

) to uniquely identify it per kernel boot. Signed-off-by: Richard Guy Briggs --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h|8 include/linux/pid_namespace.h |1 + include

[PATCH V3 0/6] namespaces: log namespaces per task

in init_user_ns can get to this information in the init namespace at the moment from audit. *However*, the addition of the proc//ns/*_snum does make it available to other processes now. Richard Guy Briggs (6): namespaces: assign each namespace instance a serial number namespaces: expose namespace

Re: [PATCH V2 1/6] namespaces: assign each namespace instance a serial number

On 14/05/13, Richard Guy Briggs wrote: > On 14/05/10, Eric Paris wrote: > > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote: > > > Generate and assign a serial number per namespace instance since boot. > > > > > > Use a serial number per namespace (

Re: [PATCH V2 1/6] namespaces: assign each namespace instance a serial number

On 14/05/10, Eric Paris wrote: > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote: > > Generate and assign a serial number per namespace instance since boot. > > > > Use a serial number per namespace (unique across one boot of one kernel) > > instead of

Re: [PATCH V2 2/6] audit: log namespace serial numbers

On 14/05/10, Eric Paris wrote: > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote: > > Not so relevant because you delete all of this code later... But > still... > > > +#ifdef CONFIG_NAMESPACES > > +void audit_log_namespace_info(struct audit_buffer *ab, s

Re: [PATCH V2 2/6] audit: log namespace serial numbers

On 14/05/10, Eric Paris wrote: > On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote: > > Log the namespace serial numbers of a task in audit_log_task_info() which > > is used by syscall audits, among others.. > > > > Idea first presented: > > http

[PATCH V2 0/6] namespaces: log namespaces per task

by switching from an int to a long long. Change rollover behaviour from simply avoiding zero to raising a BUG. Expose serial numbers in /proc//ns/*_snum. Expose ns_entries and use it in audit. Richard Guy Briggs (6): namespaces: assign each namespace instance a seria

[PATCH V2 3/6] namespaces: expose namespace instance serial number in proc_ns_operations

Expose the namespace instance serial number for each namespace type in the proc namespace operations structure to make it available for the proc filesystem. Signed-off-by: Richard Guy Briggs --- fs/namespace.c |7 +++ include/linux/proc_ns.h |1 + ipc/namespace.c

[PATCH V2 5/6] namespaces: expose ns_entries

Expose ns_entries so subsystems other than proc can use this set of namespace operations. Signed-off-by: Richard Guy Briggs --- fs/proc/namespaces.c|2 +- include/linux/proc_ns.h |1 + 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc

[PATCH V2 4/6] namespaces: expose ns instance serial numbers in proc

Suggested-by: Serge E. Hallyn Signed-off-by: Richard Guy Briggs --- Although it works as expected, I'm not that happy with this patch because it duplicates a lot of code, including minor changes to proc_ns_follow_link(), proc_ns_readlink(), ns_dname() that will be harder to keep consistent. T

[PATCH V2 6/6] audit: convert namespace serial number logging to use proc ns_entries

ns_entries]) Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 43 --- 1 files changed, 12 insertions(+), 31 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index fe783ad..6452278 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -64,15

[PATCH V2 1/6] namespaces: assign each namespace instance a serial number

) to uniquely identify it per kernel boot. Signed-off-by: Richard Guy Briggs --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h|8 include/linux/pid_namespace.h |1 + include

[PATCH V2 2/6] audit: log namespace serial numbers

stemd" netns=97 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 subj=system_u:system_r:init_t:s0 key=(null) The serial numbers are printed in hex. Suggested-by: Aristeu Rozanski Signed-off-by: Richard Guy Briggs Acked-by: Serge Hallyn --- include/linux/audit.h |7 +++ kernel/a

Re: [PATCH 0/2] namespaces: log namespaces per task

ystem is going to have a unique identifier for each different sub > container. So what is a sub container? A nested container? We still want to track component namespaces of each nested container. > However, I have to point out that a serial number isn't what you want > either if

Re: [PATCH 0/2] namespaces: log namespaces per task

ottom...@hansenpartnership.com): > >> > > On Mon, 2014-05-05 at 17:48 -0400, Richard Guy Briggs wrote: > >> > > > On 14/05/05, Serge E. Hallyn wrote: > >> > > > > Quoting James Bottomley > >(james.bottom...@hansenpartnership.com): > >> &

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/05, Nicolas Dichtel wrote: > Le 02/05/2014 16:28, Richard Guy Briggs a ?crit : > >On 14/05/02, Serge E. Hallyn wrote: > >>Quoting Richard Guy Briggs (r...@redhat.com): > >>>I saw no replies to my questions when I replied a year after Aris' > >

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/06, Serge Hallyn wrote: > Quoting Richard Guy Briggs (r...@redhat.com): > > On 14/05/03, James Bottomley wrote: > > > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Briggs wrote: > > > > Questions: > > > > Is there a way to link serial numbers of

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/05, James Bottomley wrote: > On Mon, 2014-05-05 at 17:48 -0400, Richard Guy Briggs wrote: > > On 14/05/05, Serge E. Hallyn wrote: > > > Quoting James Bottomley (james.bottom...@hansenpartnership.com): > > > > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Bri

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/05, Serge E. Hallyn wrote: > Quoting James Bottomley (james.bottom...@hansenpartnership.com): > > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Briggs wrote: > > > Questions: > > > Is there a way to link serial numbers of namespaces involved in migration &g

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/03, James Bottomley wrote: > On Tue, 2014-04-22 at 14:12 -0400, Richard Guy Briggs wrote: > > Questions: > > Is there a way to link serial numbers of namespaces involved in migration > > of a > > container to another kernel? (I had a brief look at CRI

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/02, Serge Hallyn wrote: > Quoting Richard Guy Briggs (r...@redhat.com): > > On 14/05/02, Serge E. Hallyn wrote: > > > Quoting Richard Guy Briggs (r...@redhat.com): > > > > I saw no replies to my questions when I replied a year after Aris' > > &

Re: [PATCH 0/2] namespaces: log namespaces per task

On 14/05/02, Serge E. Hallyn wrote: > Quoting Richard Guy Briggs (r...@redhat.com): > > I saw no replies to my questions when I replied a year after Aris' posting, > > so > > I don't know if it was ignored or got lost in stale threads: > > https://www

Re: [PATCH 1/2] namespaces: give each namespace a serial number

On 14/05/02, Serge E. Hallyn wrote: > Quoting Richard Guy Briggs (r...@redhat.com): > > Most of this looks reasonable, but I'm curious about something, > > > +/** > > + * ns_serial - compute a serial number for the namespace > > + * > > + * Compute a se

Re: linux-next: manual merge of the net-next tree with the net tree

return -EPERM; > err = netlink_realloc_groups(sk); > if (err) - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 3263

Re: [PATCH 2/6] netlink: have netlink per-protocol bind function return an error code.

On 14/04/22, David Miller wrote: > From: Richard Guy Briggs > Date: Fri, 18 Apr 2014 13:34:06 -0400 > > > @@ -1449,6 +1453,26 @@ static int netlink_bind(struct socket *sock, struct > > sockaddr *addr, > > if (!nladdr->nl_groups && (nlk-

Re: [PATCH 0/6][v2] audit: implement multicast socket for journald

On 14/04/22, David Miller wrote: > From: Richard Guy Briggs > Date: Tue, 22 Apr 2014 21:31:52 -0400 > > > This is a patch set Eric Paris and I have been working on to add a > > restricted > > capability read-only netlink multicast socket to kernel audit to enable &g

[PATCH 5/6][v2] audit: add netlink multicast group for log read

restricted for integrity. Signed-off-by: Richard Guy Briggs --- include/uapi/linux/audit.h |8 +++ kernel/audit.c | 51 --- 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/lin

[PATCH 4/6][v2] audit: add netlink audit protocol bind to check capabilities on multicast join

Register a netlink per-protocol bind fuction for audit to check userspace process capabilities before allowing a multicast group connection. Signed-off-by: Richard Guy Briggs --- include/uapi/linux/capability.h |7 ++- kernel/audit.c | 10 ++ security

[PATCH 6/6][v2] audit: send multicast messages only if there are listeners

Test first to see if there are any userspace multicast listeners bound to the socket before starting the multicast send work. Signed-off-by: Richard Guy Briggs --- kernel/audit.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index

[PATCH 3/6][v2] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP

Call the per-protocol unbind function rather than bind function on NETLINK_DROP_MEMBERSHIP in netlink_setsockopt(). Signed-off-by: Richard Guy Briggs --- net/netlink/af_netlink.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink

[PATCH 0/6][v2] audit: implement multicast socket for journald

.html https://lkml.org/lkml/2013/1/27/279 Please find source for a test program at: http://people.redhat.com/rbriggs/audit-multicast-listen/ Richard Guy Briggs (6): netlink: simplify nfnetlink_bind netlink: have netlink per-protocol bind function return an error

[PATCH 1/6][v2] netlink: simplify nfnetlink_bind

Remove duplicity and simplify code flow by moving the rcu_read_unlock() above the condition and let the flow control exit naturally at the end of the function. Signed-off-by: Richard Guy Briggs --- net/netfilter/nfnetlink.c |7 ++- 1 files changed, 2 insertions(+), 5 deletions(-) diff

[PATCH 2/6][v2] netlink: have netlink per-protocol bind function return an error code.

could be denied before making them available, and to avoid the messy job of undoing the addition should the per-protocol bind function fail. The netfilter subsystem seems to be the only one currently using the per-protocol bind function. Signed-off-by: Richard Guy Briggs --- V1: This rev fixes a

[PATCH 0/2] namespaces: log namespaces per task

influence the master auditd. I echo Eric B's idea that messages destined for different namespaces would have to be tailored for that namespace with references that make sense (such as the right pid number reported to that pid namespace, and not leaking info about parents or peers). Richard Guy Brig

[PATCH 1/2] namespaces: give each namespace a serial number

Assign a serial number per namespace since boot. Signed-off-by: Richard Guy Briggs --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h|8 include/linux/pid_namespace.h |1

[PATCH 2/2] audit: log namespace serial numbers

Log the namespace details of a task. Signed-off-by: Richard Guy Briggs --- include/linux/audit.h |7 +++ kernel/audit.c| 38 ++ 2 files changed, 45 insertions(+), 0 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h

Re: linux-next: build failure after merge of the audit tree

ARCH: AUDIT: implement syscall_get_arch for all arches > > Signed-off-by: Stephen Rothwell Looks good to me. Thanks. Acked-by: Richard Guy Briggs > --- > arch/sparc/include/asm/syscall.h | 4 > 1 file changed, 4 insertions(+) > > diff --git a/arch/sparc/include

[PATCH 4/6] audit: add netlink audit protocol bind to check capabilities on multicast join

Register a netlink per-protocol bind fuction for audit to check userspace process capabilities before allowing a multicast group connection. Signed-off-by: Richard Guy Briggs --- include/uapi/linux/capability.h |7 ++- kernel/audit.c | 10 ++ security

[PATCH 3/6] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP

Call the per-protocol unbind function rather than bind function on NETLINK_DROP_MEMBERSHIP in netlink_setsockopt(). Signed-off-by: Richard Guy Briggs --- net/netlink/af_netlink.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink

[PATCH 5/6] audit: add netlink multicast group for log read

restricted for integrity. Signed-off-by: Richard Guy Briggs --- include/uapi/linux/audit.h |8 +++ kernel/audit.c | 51 --- 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/lin

[PATCH 6/6] audit: send multicast messages only if there are listeners

Test first to see if there are any userspace multicast listeners bound to the socket before starting the multicast send work. Signed-off-by: Richard Guy Briggs --- kernel/audit.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index

[PATCH 0/6] audit: implement multicast socket for journald

http://people.redhat.com/rbriggs/audit-multicast-listen/ Richard Guy Briggs (6): netlink: simplify nfnetlink_bind netlink: have netlink per-protocol bind function return an error code. netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP audit: add netlink audit protocol bi

[PATCH 1/6] netlink: simplify nfnetlink_bind

Remove duplicity and simplify code flow by moving the rcu_read_unlock() above the condition and let the flow control exit naturally at the end of the function. Signed-off-by: Richard Guy Briggs --- net/netfilter/nfnetlink.c |7 ++- 1 files changed, 2 insertions(+), 5 deletions(-) diff

<    4   5   6   7   8   9   10   11   12   >