are not present in the user's policy.
Signed-off-by: James Morris [EMAIL PROTECTED]
Acked-by: Eric Paris [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo
On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
This patchset is first part of namespace support for audit.
in this patchset, the mainly resources of audit system have
been isolated. the audit filter, rules havn't been
On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
On 06/20/2013 04:51 AM, Eric Paris wrote:
On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
This patchset is first part of namespace support for audit.
in this patchset
From 4675ca3470e3c2e325c5be6d9a11f47ac0917537 Mon Sep 17 00:00:00 2001
From: Eric Paris epa...@redhat.com
Date: Tue, 10 Sep 2013 09:51:50 -0400
Subject: [PATCH] security: remove erroneous comment about capabilities.o link
ordering
Back when we had half ass LSM stacking we had to link
On Mon, 2013-09-09 at 18:32 +0400, Konstantin Khlebnikov wrote:
Luiz Capitulino wrote:
I'm getting the following soft lockup:
CPU: 6 PID: 2278 Comm: killall5 Tainted: GF3.11.0-rc7+ #1
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
0099 88011fd83de8
On Tue, 2013-11-05 at 14:36 -0800, Andy Lutomirski wrote:
[cc: some ARM people]
After a bit of an adventure, I got QEMU working. (Linux 3.12's smc91x
driver and qemu 1.6 don't get along. It would be great if some
kernel.org page described a standard way to boot a modern Linux image
on a
On Wed, 2013-11-06 at 17:27 +1100, Stephen Rothwell wrote:
Hi Eric,
After merging the audit tree, today's linux-next build (x86_64
allmodconfig) failed like this:
kernel/auditsc.c: In function 'audit_set_loginuid':
kernel/auditsc.c:2003:15: error: incompatible types when assigning to type
On Thu, 2013-11-07 at 10:39 -0800, Kees Cook wrote:
On Thu, Nov 7, 2013 at 10:16 AM, Andy Lutomirski l...@amacapital.net wrote:
On Thu, Nov 7, 2013 at 9:47 AM, Kees Cook keesc...@chromium.org wrote:
Make sure that seccomp filter won't be built when ARM OABI is in use,
since there is work
On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
reaahead-collector abuses the audit logging facility to discover which files
are accessed at boot time to make a pre-load list
Add a tuning option to audit_backlog_wait_time so that if auditd can't keep
up,
or gets blocked, the
On Wed, 2013-09-18 at 16:49 -0400, Richard Guy Briggs wrote:
On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote:
On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
reaahead-collector abuses the audit logging facility to discover which
files
are accessed at boot time
On Fri, Nov 22, 2013 at 10:33 AM, Jiri Kosina jkos...@suse.cz wrote:
On Fri, 22 Nov 2013, Geert Uytterhoeven wrote:
Only arm, i386, ppc, ppc64, sh, and x86_64 support zImage.
It's not clear to me what alpha supports (if it supports anything at
all?).
Motiviation behind this patchset
to 9175c9d2aed528800175ef81c90569d00d23f9be:
audit: fix type of sessionid in audit_set_loginuid() (2013-11-06 11:47:24
-0500)
Eric Paris (10):
audit: implement generic feature setting and retrieving
selinux: apply
I know we talked about this patch, and it seemed like a good idea at the
time, but honestly, these races are so rare, it isn't worth the code
complexity. I tried to simplify the readability of your code and got
something better, but still the loop is needless...
Just log the messages on any
On Mon, 2014-03-17 at 13:14 -0700, Tony Luck wrote:
On Thu, Jan 23, 2014 at 11:32 AM, Richard Guy Briggs r...@redhat.com wrote:
Added the functions task_ppid_nr_ns() and task_ppid_nr() to abstract the
lookup
of the PPID (real_parent's pid_t) of a process, including rcu locking, in
the
On Thu, 2014-02-27 at 12:40 -0800, Andy Lutomirski wrote:
Currently, dealing with Linux syscalls in an architecture-independent
way is a mess. Here are some issues:
1. There's no clean way to map between syscall names and numbers on
different architectures. The kernel contains a number of
As usual Eric, your commentary is anything but useful. However your
technical thoughts are not off the mark. Can we stick to those?
On Wed, 2014-03-05 at 10:06 -0800, Eric W. Biederman wrote:
Steve Grubb sgr...@redhat.com writes:
On Tuesday, March 04, 2014 07:21:52 PM David Miller wrote:
On Fri, 2014-03-07 at 19:48 -0500, David Miller wrote:
From: Eric Paris epa...@redhat.com
Date: Fri, 07 Mar 2014 17:52:02 -0500
Audit is non-tolerant to failure and loss.
Netlink is not a loss-less transport.
I'm happy to accept that (and know it to be true). How can I better
architect
On Sun, 2014-03-09 at 20:06 -0700, Eric W. Biederman wrote:
Linus,
Please pull the for-linus branch from the git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git
for-linus
HEAD: d211f177b28ec070c25b3d0b960aa55f352f731f audit: Update kdoc for
On Mon, 2014-03-10 at 15:30 -0400, David Miller wrote:
From: Eric Paris epa...@redhat.com
Date: Fri, 07 Mar 2014 17:52:02 -0500
The second user Eric patched, audit_send_list(), can grow without bound.
The number of skb's is going to be the size of the number of audit rules
that root
Every caller of syscall_get_arch() uses current for the task and no
implementors of the function need args. So just get rid of both of
those things. Admittedly, since these are inline functions we aren't
wasting stack space, but it just makes the prototypes better.
Signed-off-by: Eric Paris epa
On Tue, 2014-01-14 at 10:33 -0800, Joe Perches wrote:
The equivalent uapi struct uses __u32 so make the kernel
uses u32 too.
This can prevent some oddities where the limit is
logged/emitted as a negative value.
Convert kstrtol to kstrtouint to disallow negative values.
diff --git
On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote:
The AUDIT_SECCOMP record looks something like this:
type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325
ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm=test
sig=31 syscall=231 compat=0
On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote:
On 14/02/14, Richard Guy Briggs wrote:
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote:
The AUDIT_SECCOMP record looks something like this:
type=SECCOMP msg=audit
On Mon, 2014-02-10 at 11:01 -0800, Andy Lutomirski wrote:
On Mon, Feb 10, 2014 at 9:29 AM, Andy Lutomirski l...@amacapital.net wrote:
On Mon, Feb 10, 2014 at 8:57 AM, Oleg Nesterov o...@redhat.com wrote:
On 02/08, Andy Lutomirski wrote:
+void audit_inc_n_rules()
+{
+ struct
On Mon, 2014-02-10 at 12:04 -0800, Andy Lutomirski wrote:
On Mon, Feb 10, 2014 at 11:12 AM, Steve Grubb sgr...@redhat.com wrote:
2. Do AVC denial messages still get logged if audit_enable == 0? If
not, then audit_enable is a non-starter.
They go out printk/dmesg/syslog
--
To unsubscribe
On Fri, 2014-02-07 at 08:40 -0800, Andy Lutomirski wrote:
On Fri, Feb 7, 2014 at 4:58 AM, Jonas Bonn jonas.b...@gmail.com wrote:
Hi Andy,
On 5 February 2014 00:50, Andy Lutomirski l...@amacapital.net wrote:
I can't even find the system call entry point on mips.
Is there a
On Sat, 2014-02-08 at 13:06 -0800, Andy Lutomirski wrote:
This toggles TIF_SYSCALL_AUDIT as needed when rules change instead
of leaving it set whenever rules might be set in the future. This
reduces syscall latency from 60ns to closer to 40ns on my laptop.
Al also politely reminded me it
On Tue, 2014-02-18 at 15:50 -0500, Richard Guy Briggs wrote:
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote:
On 14/02/14, Richard Guy Briggs wrote:
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote
On Wed, 2014-02-19 at 13:08 -0500, Richard Guy Briggs wrote:
Register a netlink per-protocol bind fuction for audit to check userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c | 10 ++
On Tue, 2014-02-18 at 19:09 -0800, Andy Lutomirski wrote:
On Tue, Feb 18, 2014 at 11:39 AM, Eric Paris epa...@redhat.com wrote:
Al just indicated to me that on at least ia64, syscall_get_arguments()
is really expensive. So maybe not a deal breaker, but sounds like we'd
lose a lot
What kernel are these patches against?
On Tue, 2013-05-07 at 10:20 +0800, Gao feng wrote:
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first
On Tue, 2013-06-11 at 13:59 +0800, Gao feng wrote:
On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
Quoting Gao feng (gaof...@cn.fujitsu.com):
On 06/07/2013 06:47 AM, Serge Hallyn wrote:
Quoting Serge Hallyn (serge.hal...@ubuntu.com):
Quoting Gao feng (gaof...@cn.fujitsu.com):
On
On Sat, May 25, 2013 at 10:19 PM, Linus Torvalds
torva...@linux-foundation.org wrote:
On Sat, May 25, 2013 at 10:04 PM, James Morris jmor...@namei.org wrote:
On Sat, 25 May 2013, Linus Torvalds wrote:
But I haven't even looked at what non-selinux setups do to
performance. Last time I tried
selinux_inode_permission had some heavy lifting done to make it more
performance polite. But it still does largely the same thing as
inode_has_perm. So move that work into inode_has_perm and call
inode_has_perm from selinux_inode_permission.
Signed-off-by: Eric Paris epa...@redhat.com
-by: Eric Paris epa...@redhat.com
---
include/linux/fs.h | 5 +++
security/selinux/hooks.c| 62 ++---
security/selinux/include/security.h | 1 +
security/selinux/ss/services.c | 5 +++
4 files changed, 69 insertions(+), 4
On Mon, 2013-06-03 at 14:59 -0400, Eric Paris wrote:
selinux_inode_permission had some heavy lifting done to make it more
performance polite. But it still does largely the same thing as
inode_has_perm. So move that work into inode_has_perm and call
inode_has_perm from
On Tue, 2013-06-04 at 06:31 +0900, Linus Torvalds wrote:
On Mon, 3 Jun 2013, Eric Paris wrote:
#ifdef CONFIG_SECURITY
+ seqcount_t i_security_seqcount;
+ u32 i_last_task_sid;
+ u32 i_last_granting;
+ u32
I picked it up for 3.10. Sorry, should have said something. Thanks!
-Eric
- Original Message -
On Mon, 1 Apr 2013 11:00:00 +0400, Dmitry Monakhov dmonak...@openvz.org
wrote:
Ping. Patch (https://lkml.org/lkml/2013/4/1/65) was not a 1'st April's joke.
Add CC:linux-au...@redhat.com
On Fri, 2013-05-17 at 10:47 +0530, Viresh Kumar wrote:
On Wed, May 15, 2013 at 7:02 PM, Eric Paris epa...@redhat.com wrote:
On Wed, 2013-05-15 at 13:20 +1000, Stephen Rothwell wrote:
Hi ,
After merging the final tree, today's linux-next build (i386 defconfig)
produced this warning
On Fri, 2013-10-25 at 10:36 +0900, Toshiyuki Okajima wrote:
systemd|auditd
---+---
...|
- audit_receive |...
-
On Thu, 2013-05-09 at 09:29 -0400, Steve Grubb wrote:
On Tuesday, April 16, 2013 03:38:23 PM Richard Guy Briggs wrote:
On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
Andrew Morton a...@linux-foundation.org writes:
On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs
the MQ root as a hidden parent audit_names record from
the akpm tree.
Actually, I've already picked the patch up for 3.11. So Andrew, you can
drop it.
I fixed it up (see below) and can carry the fix as necessary (no action
is required).
BTW, commit b24a30a73054 from Linus' tree has Eric
-Original Message-
From: Kees Cook [keesc...@chromium.org]
Received: Monday, 13 May 2013, 12:49am
To: Eric Paris [epa...@redhat.com]
CC: Stephen Rothwell [s...@canb.auug.org.au]; Andrew Morton
[a...@linux-foundation.org]; Linus [torva...@linux-foundation.org]; Linux-Next
[linux-n
-Original Message-
From: Kees Cook [keesc...@chromium.org]
Received: Monday, 13 May 2013, 12:49am
To: Eric Paris [epa...@redhat.com]
CC: Stephen Rothwell [s...@canb.auug.org.au]; Andrew Morton
[a...@linux-foundation.org]; Linus [torva...@linux-foundation.org]; Linux-Next
[linux-n
task tries to
violate the nproc limit. (note that kthreads count against root, so on
a sufficiently large machine we can actually get past the default limits
before any userspace tasks are launched.)
Signed-off-by: Eric Paris epa...@redhat.com
---
kernel/fork.c | 4 ++--
1 file changed, 2
On Wed, 2013-05-15 at 13:20 +1000, Stephen Rothwell wrote:
Hi ,
After merging the final tree, today's linux-next build (i386 defconfig)
produced this warning:
kernel/auditfilter.c: In function 'audit_data_to_entry':
kernel/auditfilter.c:426:3: warning: this decimal constant is unsigned
On Thu, 2013-09-19 at 17:18 -0400, Steve Grubb wrote:
On Wednesday, September 18, 2013 03:06:52 PM Richard Guy Briggs wrote:
Re-named confusing local variable names (status_set and status_get didn't
agree with their command type name) and reduced their scope.
Future-proof API changes by
to ensure the task can not
miss audit_syscall_*() calls, this is pointless if the task
has no -audit_context.
Signed-off-by: Oleg Nesterov o...@redhat.com
Acked-by: Steve Grubb sgr...@redhat.com
Acked-by: Eric Paris epa...@redhat.com
Richard, please pick this up into your tree.
---
kernel
-by: Richard Guy Briggs r...@redhat.com
Acked-by: Eric Paris epa...@redhat.com
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3d17670..ac16540 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1413,7
On Thu, 2013-09-19 at 14:22 -0700, Davidlohr Bueso wrote:
On Sun, 2013-09-15 at 20:04 -0700, Davidlohr Bueso wrote:
This patchset deals with the selinux and rmid races Manfred found on
the ipc scaling work that has been going on. It specifically addresses
shared mem and msg queues. While
This 'bug' feels very theoretical to me. There were about 3 kernel
releases back when inotify was rewriten onto fsnotify where it was
intentionally reusing wd's. So instead of a MAX_INT wrap all you have
to do was a single create/destroy/create to get reuse. Almost every
utility survived...
On Mon, 2014-06-09 at 16:36 -0700, Linus Torvalds wrote:
On Mon, Jun 9, 2014 at 3:56 PM, Andy Lutomirski l...@amacapital.net wrote:
In this particular case, it's my patch, and I've never sent you a pull
request. I sort of assumed that secur...@kernel.org magically caused
acknowledged
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Generate and assign a serial number per namespace instance since boot.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Log the namespace serial numbers of a task in audit_log_task_info() which
is used by syscall audits, among others..
Idea first presented:
https://www.redhat.com/archives/linux-audit/2013-March/msg00020.html
Typical output
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Not so relevant because you delete all of this code later... But
still...
+#ifdef CONFIG_NAMESPACES
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct
*tsk)
+{
+ struct nsproxy *nsproxy;
+
+
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.
1/6 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
NAK
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Here are some issues with the code:
- It thinks that syscalls have four arguments.
Not true at all. It records the registers that would hold the first 4
entries on syscall entry, for use later if needed, as getting those
later on
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32 auditing.
Cc: sta...@vger.kernel.org
Signed-off-by: Andy Lutomirski l...@amacapital.net
---
kernel/auditsc.c | 27
On Wed, 2014-05-28 at 19:27 -0700, Andy Lutomirski wrote:
On Wed, May 28, 2014 at 7:23 PM, Eric Paris epa...@redhat.com wrote:
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32
On Wed, 2014-05-28 at 19:40 -0700, Andy Lutomirski wrote:
On Wed, May 28, 2014 at 7:09 PM, Eric Paris epa...@redhat.com wrote:
NAK
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
Here are some issues with the code:
- It thinks that syscalls have four arguments.
Not true
stop selecting it.
Signed-off-by: Eric Paris epa...@redhat.com
Cc: Andy Lutomirski l...@amacapital.net
---
arch/x86/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 56f47ca..e11c4da 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86
: sta...@vger.kernel.org
Signed-off-by: Andy Lutomirski l...@amacapital.net
Signed-off-by: Eric Paris epa...@redhat.com
---
kernel/auditsc.c | 27 ++-
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 254ce20..842f58a 100644
: http://sourceforge.net/p/libseccomp/mailman/message/32239040/
Cc: Andy Lutomirski l...@amacapital.net
Cc: Eric Paris epa...@redhat.com
Cc: Paul Moore pmo...@redhat.com
Cc: Ralf Baechle r...@linux-mips.org
Signed-off-by: Markos Chandras markos.chand...@imgtec.com
---
Ralf, can we
On Tue, 2014-05-13 at 11:13 -0400, Richard Guy Briggs wrote:
On 14/05/13, Richard Guy Briggs wrote:
On 14/05/10, Eric Paris wrote:
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Generate and assign a serial number per namespace instance since boot.
Use a serial
On Tue, 2014-05-13 at 11:30 -0400, Eric Paris wrote:
On Tue, 2014-05-13 at 11:13 -0400, Richard Guy Briggs wrote:
On 14/05/13, Richard Guy Briggs wrote:
On 14/05/10, Eric Paris wrote:
On Fri, 2014-05-09 at 20:27 -0400, Richard Guy Briggs wrote:
Generate and assign a serial number
...@redhat.com
Cc: Eric Paris epa...@redhat.com
Signed-off-by: Andy Lutomirski l...@amacapital.net
---
This brown paper bag release is brought to you by git commit's -a flag.
Changes from v2: Contains the correct patch
Changes from v1:
- For new tasks, set flags in a new audit_sync_flags
Acked-by: Eric Paris epa...@redhat.com
On Tue, Feb 4, 2014 at 4:38 AM, Will Deacon will.dea...@arm.com wrote:
On Tue, Feb 04, 2014 at 02:15:32AM +, Colin Cross wrote:
Binaries compiled for arm may run on arm64 if CONFIG_COMPAT is
selected. Set LSM_MMAP_MIN_ADDR to 32768 if ARM64 COMPAT
On Mon, 2014-02-03 at 11:11 -0800, Andy Lutomirski wrote:
+void audit_inc_n_rules()
+{
+ struct task_struct *p, *g;
+ unsigned long flags;
+
+ read_lock_irqsave(tasklist_lock, flags);
+ if (audit_n_rules++ == 0) {
I know it's right, but it's too clever for me :) If we do
: efficiency fix 1: only wake up if queue shorter than backlog limit
audit: efficiency fix 2: request exclusive wait since all need same
resource
Eric Paris (8):
audit: convert all sessionid declaration to unsigned int
audit: wait_for_auditd rework for readability
audit
Didn't Al find this/something very similar. I really hate this
solution. Why should every LSM try to understand the intimate
lifetime rules of the parent subsystems? The real problem is that
inode_free_security() is being called while the inode is still in use.
While I agree with the
On Thu, 2014-01-09 at 10:51 -0500, Steven Rostedt wrote:
On Thu, 9 Jan 2014 10:31:55 -0500
Eric Paris epa...@parisplace.org wrote:
Didn't Al find this/something very similar. I really hate this
I'm not involved with the vfs, so I'm unaware of other solutions
presented. I just hit
[adding lsm and selinux]
Am I just crazy, or was this bug discussed (and obviously not fixed)
some time ago?
VFS can still use inodes after security_inode_free_security() was
called...
On Thu, 2014-01-09 at 10:57 -0500, Eric Paris wrote:
On Thu, 2014-01-09 at 10:51 -0500, Steven Rostedt wrote
https://bugzilla.redhat.com/show_bug.cgi?id=829715
at least has some discussion...
On Thu, Jan 9, 2014 at 11:22 AM, Steven Rostedt rost...@goodmis.org wrote:
On Thu, 09 Jan 2014 11:10:05 -0500
Stephen Smalley s...@tycho.nsa.gov wrote:
I didn't know that was the case; originally when we added
On Thu, Jan 9, 2014 at 3:20 PM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
For those of us that don't have access to the RH bugzilla, can someone
please summarize the problem?
The upstream discussion (nothing really useful in the bug other than a
link to it) is here.
On Thu, 2014-01-09 at 22:13 +, Al Viro wrote:
On Thu, Jan 09, 2014 at 10:31:55AM -0500, Eric Paris wrote:
Didn't Al find this/something very similar. I really hate this
solution. Why should every LSM try to understand the intimate
lifetime rules of the parent subsystems? The real
On Thu, 2014-01-09 at 22:13 +, Al Viro wrote:
On Thu, Jan 09, 2014 at 10:31:55AM -0500, Eric Paris wrote:
Didn't Al find this/something very similar. I really hate this
solution. Why should every LSM try to understand the intimate
lifetime rules of the parent subsystems? The real
On Thu, 2014-01-09 at 18:27 -0500, Steven Rostedt wrote:
On Thu, 9 Jan 2014 18:25:23 -0500
Steven Rostedt rost...@goodmis.org wrote:
On Fri, 10 Jan 2014 06:41:03 +0800
Linus Torvalds torva...@linux-foundation.org wrote:
I think the sane short term fix is to make the kfree() of the
On Wed, 2014-01-15 at 12:17 -0800, David Miller wrote:
From: Jan Kaluza jkal...@redhat.com
Date: Mon, 13 Jan 2014 09:01:46 +0100
Changes introduced in this patchset can also increase performance
of such server-like processes, because current way of opening and
parsing /proc/$PID/* files
On Tue, 2013-12-17 at 11:10 +0800, Gao feng wrote:
print the error message and then return -ENOMEM.
Signed-off-by: Gao feng gaof...@cn.fujitsu.com
Haha. If it's NULL return. No no, if it's REALLY null audit_panic().
Acked-by: Eric Paris epa...@redhat.com
---
kernel/audit.c | 9
-ECONNREFUSED.
And the socket of userspace process can be released anytime,
so the audit_sock may point to invalid socket.
this patch sets the audit_sock to the kernel side audit
netlink socket.
Signed-off-by: Gao feng gaof...@cn.fujitsu.com
Acked-by: Eric Paris epa...@redhat.com
On Tue, 2013-12-10 at 10:51 -0600, Serge Hallyn wrote:
Quoting Gao feng (gaof...@cn.fujitsu.com):
On 12/10/2013 02:26 AM, Serge Hallyn wrote:
Quoting Gao feng (gaof...@cn.fujitsu.com):
On 12/07/2013 06:12 AM, Serge E. Hallyn wrote:
Quoting Gao feng (gaof...@cn.fujitsu.com):
Hi
On Tue, 2013-12-10 at 15:06 -0500, Josh Boyer wrote:
We've had a report[1] in Fedora of sync(1) hanging after logging into
GNOME and running the command in a terminal. I was able to recreate
this on my local system and did a git bisect. The bisect blames:
commit
I still believe (assuming Josh says it tests ok) that a revert is a
reasonable fix until next window. But I might know the actual problem:
Lets assume policy says:
fuse.gluster == use_xattr
Lets assume this function is called with
sb-s_type-name == fuse
sb-s_subtype == NULL
int
On Tue, 2013-12-10 at 15:25 -0500, Eric Paris wrote:
I'll try to write a patch to fix that logic...
Anand,
How about something like (untested but it compiles):
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ee470a0..2b437fc8 100644
--- a/security/selinux/ss
On Tue, 2013-12-10 at 13:58 -0800, Anand Avati wrote:
On 12/10/13, 12:35 PM, Eric Paris wrote:
On Tue, 2013-12-10 at 15:25 -0500, Eric Paris wrote:
I'll try to write a patch to fix that logic...
Anand,
How about something like (untested but it compiles):
Sorry, it took me
On Fri, 2013-12-13 at 09:36 -0500, Paul Moore wrote:
On Fri, Dec 13, 2013 at 9:02 AM, Josh Boyer jwbo...@fedoraproject.org wrote:
Should probably figure out which path to take on this one soon:
http://thread.gmane.org/gmane.linux.kernel/1611662
A revert might be the easiest for now.
I don't know tilegx, but I have replaced 223b24d807610 with
4b58841149dcaa5. I believe adding AUDIT_ARCH_COMPAT_GENERIC was
akashi-san's fix for this problem on mips. Is this a better fix?
Thanks
-Eric
On Thu, 2014-03-20 at 11:31 -0400, Chris Metcalf wrote:
For architectures that use the
On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote:
*testing hat on*
PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
making login, ssh etc fail in containers unless you boot with audit=0.
This is due to a change in return value to user space; and is
appearantly a
Schuchardt xypron.g...@gmx.de
The patch looks good to me. You can add:
Reviewed-by: Jan Kara j...@suse.cz
Andrew, can you please add the patch to the fanotify patches you already
carry? Thanks!
Acked-by: Eric Paris epa...@redhat.com
that would be great Andrew
/fcntl.h I found the following comment:
/*
* FMODE_EXEC is 0x20
* FMODE_NONOTIFY is 0x100
* These cannot be used by userspace O_* until internal and external open
* flags are split.
* -Eric Paris
*/
The definition of FMODE_NONOTIFY is in include/linux/fs.h
If the CPU hits a softlockup this patch will also have it print the
information about all locks being held on the system. This might help
determine if a lock is being held too long leading to this problem.
Signed-off-by: Eric Paris epa...@redhat.com
Cc: Frederic Weisbecker fweis...@gmail.com
Cc
On Fri, 2014-04-04 at 15:00 +0200, David Herrmann wrote:
1)
IN_IGNORED is async and _immediate_ in case a file got deleted. So if
you use watch-descriptors as keys for your objects, an _already_ used
key might be returned by inotify_add_watch() if an IN_IGNORED is
queued for the old watch
-by: Richard Guy Briggs r...@redhat.com
Cc: Thomas Gleixner t...@linutronix.de
Cc: Ingo Molnar mi...@redhat.com
Cc: H. Peter Anvin h...@zytor.com
Cc: x...@kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-au...@redhat.com
Signed-off-by: Eric Paris epa...@redhat.com
---
As this patch relies
...@redhat.com wrote:
Meaning looking at the journal would be equivalent to looking at
/var/log/audit/audit.log.
On 04/23/2014 11:37 AM, Eric Paris wrote:
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
I guess the problem would be that the sysadm_t would be able to look
see individual records? so secadm_t running journalctl would see
them and sysadm running journalctl wouldn't see them?
Sounds elegant. Who is going to code it? *NOT IT!*
On 04/24/2014 09:22 AM, Eric Paris wrote:
They would be equivalent if and only if journald had CAP_AUDIT_READ.
I
On Tue, 2014-04-22 at 16:22 +1000, Stephen Rothwell wrote:
Hi Eric,
After merging the audit tree, today's linux-next build (sparc defconfig)
failed like this:
In file included from include/linux/audit.h:29:0,
from mm/mmap.c:33:
arch/sparc/include/asm/syscall.h: In
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
This is a patch set Eric Paris and I have been working on to add a
restricted capability read-only netlink multicast socket to kernel audit to
enable userspace clients
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote:
Here are the capabilities we currently give to sysadm_t with
sysadm_secadm1.0.0Disabled
allow sysadm_t sysadm_t : capability { chown dac_override
dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote:
I guess the problem would be that the sysadm_t would be able to look at
the journal which would now contain the audit content.
right. so include it in the sysadm_secadm bool
On 04/23/2014 10:42 AM, Eric Paris wrote:
On Wed, 2014-04
-by: Vincent Donnefort vdonnef...@gmail.com
Things seem much happier now! Thank you sir!
Tested-by: Eric Paris epa...@redhat.com
diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c
index e73c675..7030422 100644
--- a/drivers/gpio/gpio-ich.c
+++ b/drivers/gpio/gpio-ich.c
101 - 200 of 532 matches
Mail list logo
