On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
Andrew Morton a...@linux-foundation.org writes:
On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com
wrote:
audit rule additions containing -F auid!=4294967295 were failing with
EINVAL.
The only case
calls to
match the wrong entry in the audit_names list.
This patch simply sets the flag to properly indicate that this inode
represents the parent. With this, the audit_names entries are back to
looking like they did before.
This patch fixes the problem for me.
Tested-by: Richard Guy Briggs
On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
Andrew Morton a...@linux-foundation.org writes:
On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com
wrote:
audit rule additions containing -F auid!=4294967295 were failing with
EINVAL.
UID_INVALID
On Tue, Apr 09, 2013 at 02:16:22PM -0700, Eric W. Biederman wrote:
Steve Grubb sgr...@redhat.com writes:
On Tuesday, April 09, 2013 02:39:32 AM Eric W. Biederman wrote:
Andrew Morton a...@linux-foundation.org writes:
On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com
On Wed, Apr 10, 2013 at 12:20:18PM -0400, Richard Guy Briggs wrote:
On Tue, Apr 09, 2013 at 02:16:22PM -0700, Eric W. Biederman wrote:
Steve Grubb sgr...@redhat.com writes:
On Tuesday, April 09, 2013 02:39:32 AM Eric W. Biederman wrote:
Andrew Morton a...@linux-foundation.org writes
On Wed, Apr 10, 2013 at 11:02:43AM -0700, Eric W. Biederman wrote:
Richard Guy Briggs r...@redhat.com writes:
On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote:
@@ -377,6 +383,12 @@ static struct audit_entry *audit_rule_to_entry(struct
audit_rule *rule
of ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (2012-09-11) to fix
this.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditfilter.c | 12
1 files changed, 0 insertions(+), 12 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f9fc54b..457ee39 100644
--- a/kernel
was re-used to catch the return code of the registration of
the genetlink thermal socket family.
Signed-off-by: Richard Guy Briggs rbri...@redhat.com
---
drivers/thermal/thermal_sys.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/thermal/thermal_sys.c b/drivers/thermal/thermal_sys.c
From: Richard Guy Briggs r...@redhat.com
Hi,
This is a patch set Eric Paris and I have been working on to add a restricted
capability read-only netlink multicast socket to kaudit to enable
userspace clients such as systemd to consume audit logs, in addition to the
bidirectional auditd userspace
From: Richard Guy Briggs r...@redhat.com
Currently netlink socket permissions are controlled by the
NL_CFG_F_NONROOT_{RECV,SEND} flags in the kernel socket configuration or by the
CAP_NET_ADMIN capability of the client. The former allows non-root users
access to the socket. The latter allows
From: Richard Guy Briggs r...@redhat.com
The hold queue flush code is an autonomous chunk of code that can be
refactored, removed from kauditd_thread() into flush_hold_queue() and
flattenned for better legibility.
Signed-off-by: Richard Guy Briggs rbri...@redhat.com
---
This is a code clean up
From: Richard Guy Briggs r...@redhat.com
The kauditd_thread() task was started only after the auditd userspace daemon
registers itself with kaudit. This was fine when only auditd consumed messages
from the kaudit netlink unicast socket. With the addition of a multicast group
to that socket
From: Richard Guy Briggs r...@redhat.com
The wait queue control code in kauditd_thread() was nested deeper than
necessary. The function has been flattened for better legibility.
Signed-off-by: Richard Guy Briggs rbri...@redhat.com
---
This is a code clean up in preparation to add a multicast
On Thu, Aug 22, 2013 at 09:08:48PM +0200, Oleg Nesterov wrote:
On 08/20, Richard Guy Briggs wrote:
static inline int is_global_init(struct task_struct *tsk)
{
- return tsk-pid == 1;
+ return task_pid_nr(tsk) == 1;
}
Probably it would be better to simply kill it. Almost every
On Fri, Aug 23, 2013 at 08:36:21AM +0200, Peter Zijlstra wrote:
On Thu, Aug 22, 2013 at 05:43:47PM -0400, Richard Guy Briggs wrote:
On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote:
On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote:
This stops these four
On Fri, Aug 23, 2013 at 09:28:07PM +0200, Oleg Nesterov wrote:
On 08/22, Richard Guy Briggs wrote:
On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote:
Why would you ever want to do this? It just makes these tests more
expensive for no gain what so ff'ing ever.
Backups
ebied...@xmission.com
(cherry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67)
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |6 +++---
kernel/auditsc.c |6 ++
kernel/capability.c |2 +-
3 files changed, 6 insertions(+), 8 deletions
to the child process' pid
namespace.
(informed by ebiederman's 6c621b7e)
Cc: sta...@vger.kernel.org
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/sched.h | 23 +++
1 files changed, 23 insertions(+), 0 deletions
task-pid is an error prone construct and results in duplicate maintenance.
Start it's demise by modifying task_pid_nr to not use it.
(informed by ebiederman's 3a2e8c59)
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/sched.h |2
This stops these four task helper functions from using the deprecated and
error-prone task-pid and task-tgid.
(informed by ebiederman's ea5a4d01)
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/sched.h |8
1 files
It doesn't make any sense to recallers to pass in a non-const struct
task so update the function signatures to only require a const struct
task.
(informed by ebiederman's c76b2526)
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux
task-tgid is an error prone construct and results in duplicate maintenance.
Start it's demise by modifying task_tgid_nr to not use it.
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/sched.h |2 +-
1 files changed, 1 insertions
.
Cc: Eric W. Biederman ebied...@xmission.com
(informed by ebiederman's c776b5d2)
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
drivers/tty/tty_audit.c |3 ++-
kernel/audit.c | 15 ++-
kernel/auditfilter.c | 17
into the initial pid namespace for reports
(informed by ebiederman's 5bf431da)
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c | 25 +++--
kernel/audit.h |4 ++--
kernel/auditsc.c |6 +++---
3 files changed
. Ports
use the __u32 type, so re-type all portids accordingly.
(This patch is very similar to ebiederman's 5deadd69)
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |2 +-
kernel/audit.c| 32
kernel/audit.h|8
a clear
abstraction of the frequently used init_pid_ns in task_pid_nr_ns() and
task_tgid_nr_ns().
Also added pid_nr_init_ns() to explicitly use init_pid_ns.
(informed by ebiederman's 3a2e8c59)
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include
to task_ppid_nr_init_ns() for PPIDs to anchor all audit filters in the
init_pid_ns.
(informed by ebiederman's 6c621b7e)
Cc: sta...@vger.kernel.org
Cc: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c|4 ++--
kernel/auditsc.c
From: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Eric W. Biederman ebied...@xmission.com
(cherry picked from commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7)
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c |6 --
1 files changed, 0 insertions(+), 6
it.
Discuss.
Eric W. Biederman (5):
audit: Kill the unused struct audit_aux_data_capset
audit: Simplify and correct audit_log_capset
Richard Guy Briggs (7):
audit: fix netlink portid naming and types
pid: get ppid pid_t of task in init_pid_ns safely
audit: convert PPIDs to the inital PID
On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote:
On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote:
This stops these four task helper functions from using the deprecated and
error-prone task-pid and task-tgid.
(informed by ebiederman's ea5a4d01)
Cc: Eric
Guy Briggs r...@redhat.com
---
kernel/audit.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..63b2dd5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1590,7 +1590,7 @@ void audit_log_task_info(struct audit_buffer *ab
Convert audit from only listening in init_net to use register_pernet_subsys()
to dynamically manage the netlink socket list.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c | 64 ++-
kernel/audit.h |4 +++
2 files
that specific case, returning an error of EACCES.
The case for preventing a newer auditd from registering itself if there is an
existing auditd is a more difficult case that is beyond the scope of this
patch.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 ++
1 files changed
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line unsubscribe linux-kernel
of the same bug, so it
is getting around...
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
--
To unsubscribe from this list: send the line
-by: Justin Stephenson jstep...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..939cff1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -715,7 +715,7
to work.
This is minimal patch for that bug.
Thanks Konstantin,
This patch is in my patchset...
Signed-off-by: Konstantin Khlebnikov khlebni...@openvz.org
Cc: Andrew Morton a...@linux-foundation.org
Cc: Luiz Capitulino lcapitul...@redhat.com
Cc: Richard Guy Briggs r...@redhat.com
Cc: Eric
A newline was accidentally added during session ID helper refactorization in
commit 4d3fb709. This needlessly uses up buffer space, messes up syslog
formatting and makes userspace processing less efficient. Remove it.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2
-by: Luiz Capitulino lcapitul...@redhat.com
Signed-off-by: Dan Duval dan.du...@oracle.com
Signed-off-by: Chuck Anderson chuck.ander...@oracle.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel
Re-named confusing local variable names (status_set and status_get didn't agree
with their command type name) and reduced their scope.
Future-proof API changes by not depending on the exact size of the audit_status
struct.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c
If wait_for_auditd() times out, go immediately to the error function rather
than retesting the loop conditions.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c | 12
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
reaahead-collector abuses the audit logging facility to discover which files
are accessed at boot time to make a pre-load list
Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up,
or gets blocked, the callers won't be blocked.
Signed-off-by: Richard Guy Briggs r
and 8th are to add a config option to make the backlog wait time
configurable from the hard-coded default.
Richard Guy Briggs (8):
audit: avoid soft lockup due to audit_log_start() incorrect loop
termination
audit: reset audit backlog wait time after error recovery
audit: make use
Khlebnikov khlebni...@openvz.org
Signed-off-by: Dan Duval dan.du...@oracle.com
Signed-off-by: Chuck Anderson chuck.ander...@oracle.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel
...@oracle.com
Signed-off-by: Chuck Anderson chuck.ander...@oracle.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 42c68db..25fab2d 100644
--- a/kernel/audit.c
://lkml.org/lkml/2013/9/2/479
Signed-off-by: Dan Duval dan.du...@oracle.com
Signed-off-by: Chuck Anderson chuck.ander...@oracle.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel
the lost messages without compiling a new kernel.
This patch adds a boot option (audit already has one to enable/disable it)
audit_backlog_limit=n that overrides the default to allow the system
administrator to set the backlog limit.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel
On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote:
On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
reaahead-collector abuses the audit logging facility to discover which files
are accessed at boot time to make a pre-load list
Add a tuning option
-by: Richard Guy Briggs r...@redhat.com
---
security/smack/smack_lsm.c |5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8825375..185e2e7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
audit_log_start(). In
particular, watch out for *_audit_rule_match().
This fix will take care of systemd and anything USING audit. It still means
that we could race with something configuring audit and auditd shutting down.
Signed-off-by: Richard Guy Briggs r...@tricolour.ca
Signed-off-by: Richard Guy Briggs
trim_marked(). It may make sense to have trim_marked() send its queue through
a new thread.
Richard Guy Briggs (3):
selinux: call WARN_ONCE() instead of calling audit_log_start()
smack: call WARN_ONCE() instead of calling audit_log_start()
audit: drop audit_cmd_lock in AUDIT_USER family
()
in this location makes buffer allocation and locking more complicated in the
calling tree (audit_filter_user()).
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
security/selinux/ss/services.c | 12
1 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/security
Errors from filter user rules were previously ignored, and worse, an error on
a AUDIT_NEVER rule disabled logging on that rule. On -ESTALE, retry up to 5
times. On error on AUDIT_NEVER rules, log.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 +-
kernel
) please find the get_task_comm() patch and the alternate
memcpy() patch.
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt
---
kernel/audit.c |5 ++---
kernel/auditsc.c |9 +
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 9239e5e..5b600c8 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1883,7 +1883,7 @@ EXPORT_SYMBOL(audit_log_task_context);
---
kernel/audit.c |5 ++---
kernel/auditsc.c |3 ++-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 9239e5e..ecb08a5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1883,7 +1883,7 @@ EXPORT_SYMBOL(audit_log_task_context);
void
simply not being present).
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@tricolour.ca
---
kernel/audit.c | 10 ++
kernel/audit.h |2 +-
kernel/auditfilter.c |3 ++-
3 files changed, 9 insertions(+), 6 deletions
to the appropiate
socket.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Richard Guy Briggs r...@tricolour.ca
---
This is an incremental change on top of my previous patch to guarantee
that replies always happen in the appropriate network namespace.
include/linux
as you, but continuing to suggest people don't care is
starting to get abusive.
In any case, since I haven't sent them to Linus and I'm glad that is
done, so feel free to consider this me Acking the pull request.
Eric
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer
On 14/03/16, Richard Guy Briggs wrote:
On 14/02/28, Eric W. Biederman wrote:
While reading through 3.14-rc1 I found a pretty siginficant mishandling
of network namespaces in the recent audit changes.
In struct audit_netlink_list and audit_reply add a reference to the
network
On 14/03/16, Richard Guy Briggs wrote:
On 14/02/28, Eric W. Biederman wrote:
In perverse cases of file descriptor passing the current network
namespace of a process and the network namespace of a socket used by
that socket may differ. Therefore use the network namespace
system call names
* select CONFIG_AUDIT_ARCH_COMPAT_GENERIC
Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h | 8
include/uapi/linux/audit.h | 6 ++
lib/Kconfig| 9
done on entry.
Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org
Minor variable mis-spelling of scratch noted below, but other than
that:
Acked-by: Richard Guy Briggs r...@redhat.com
---
arch/arm64/kernel/entry.S | 10 --
arch/arm64/kernel/ptrace.c | 50
is still necessary in ptrace.c and process.c because
they use is_compat_thread().
Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org
Acked-by: Richard Guy Briggs r...@redhat.com
---
arch/arm64/include/asm/compat.h | 5 -
arch/arm64/kernel/hw_breakpoint.c | 2 +-
arch/arm64
On 14/02/20, Oleg Nesterov wrote:
On 01/23, Richard Guy Briggs wrote:
task-tgid is an error prone construct and results in duplicate maintenance.
Start it's demise by modifying task_tgid_nr to not use it.
Well, I disagree.
Yes I agree that -tgid should probably die. But this change
on at least s390x. Others
may have it missing too, but the build quit on discovering that one.
I guess that, if the syscall restart logic needs to read the argument
registers, then they're probably reliably saved...
--Andy
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software
On 14/02/19, Richard Guy Briggs wrote:
On 14/02/18, Richard Guy Briggs wrote:
On 14/02/18, Steve Grubb wrote:
On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote:
missing '=' but this isn't what audit_get_context() does... it's
crappy naming...I'd think
it with HAVE_ARCH_AUDITSYSCALL
for simplicity.
Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org
Acked-by: Richard Guy Briggs r...@redhat.com
---
arch/alpha/Kconfig |1 +
arch/arm/Kconfig |1 +
arch/ia64/Kconfig |1 +
arch/parisc/Kconfig|1 +
arch
On 14/02/28, Will Deacon wrote:
On Fri, Feb 28, 2014 at 05:17:15AM +, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from
every system call invocation.
Acked-by: Richard Guy Briggs r...@redhat.com
Signed-off-by: AKASHI Takahiro takahiro.aka
;
- dest-pid = task_pid_vnr(current);
skb_queue_head_init(dest-q);
mutex_lock(audit_filter_mutex);
--
1.7.5.4
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice
From: Gao feng gaof...@cn.fujitsu.com
If audit is disabled, we shouldn't generate loginuid audit
log.
Cc: sta...@vger.kernel.org # v3.13-rc1
Acked-by: Eric Paris epa...@redhat.com
Signed-off-by: Gao feng gaof...@cn.fujitsu.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
Signed-off-by: Eric
On 14/03/03, Greg KH wrote:
On Mon, Mar 03, 2014 at 05:30:50PM -0500, Richard Guy Briggs wrote:
From: Gao feng gaof...@cn.fujitsu.com
If audit is disabled, we shouldn't generate loginuid audit
log.
Cc: sta...@vger.kernel.org # v3.13-rc1
Acked-by: Eric Paris epa...@redhat.com
On 14/02/28, AKASHI Takahiro wrote:
On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.dea...@arm.com
Acked-by: Richard Guy Briggs r...@redhat.com
Signed-off-by: AKASHI Takahiro
-m
SECCOMP -i
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c |3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3bc12d2..7317f46 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -67,6 +67,7
Make audit_syscall_entry() ignore the arch parameter passed to it and call
syscall_get_arch() locally.
Remove arch from the audit_syscall_entry() parameter list.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
arch/arm/kernel/ptrace.c|2 +-
arch/ia64/kernel/ptrace.c
Since all callers of syscall_get_arch() call with task current and none of
the arch-dependent functions use the regs parameter (which could just as
easily be found with task_pt_regs()), delete both parameters.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
arch/arm/include/asm/syscall.h
the kernel internal to the user api version
to get the architecture numbers, but to avoid a circular header reference
between audit and syscall.h
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
arch/arm/include/asm/syscall.h|2 +-
arch/ia64/include/asm/syscall.h |2 +-
arch
Since arch is found locally in __audit_syscall_entry(), there is no need to
pass it in as a parameter. Delete it from the parameter list.
x86* was the only arch to call __audit_syscall_entry() directly and did so from
assembly code.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
Can I
around
arch, current and regs in __audit_syscall_entry() and audit_syscall_entry().
Compiles and runs on i686, x86_64, ppc, ppc64, s390, s390x, manually tested in
an x86_64 VM. aarch64 will be added soon.
Richard Guy Briggs (6):
syscall: define syscall_get_arch() for each audit-supported arch
Each arch that supports audit requires syscall_get_arch() to able to log and
identify architecture-dependent syscall numbers. The information is used in at
least two different subsystems, so standardize it in the same call across all
arches.
Signed-off-by: Richard Guy Briggs r...@redhat.com
=%d\n, audit_pid);
- audit_log_lost(auditd disappeared\n);
+ audit_log_lost(auditd disappeared);
audit_pid = 0;
audit_sock = NULL;
}
--
1.8.5.3
- RGB
--
Richard Guy Briggs rbri...@redhat.com
On 14/03/05, Richard Guy Briggs wrote:
Each arch that supports audit requires syscall_get_arch() to able to log and
identify architecture-dependent syscall numbers. The information is used in
at
least two different subsystems, so standardize it in the same call across all
arches.
I just
On 14/03/05, Joe Perches wrote:
On Wed, 2014-03-05 at 17:27 -0500, Richard Guy Briggs wrote:
On 14/03/05, Josh Boyer wrote:
Calling audit_log_lost with a \n in the format string leads to extra
newlines in dmesg. That function will eventually call audit_panic which
uses pr_err
On 14/03/06, AKASHI Takahiro wrote:
On 03/01/2014 01:15 AM, Will Deacon wrote:
On Fri, Feb 28, 2014 at 05:17:15AM +, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from
every system call invocation.
Acked-by: Richard Guy Briggs r...@redhat.com
Signed-off
On 14/03/06, Markos Chandras wrote:
Hi Richard,
Hi Markos,
On 03/05/2014 09:27 PM, Richard Guy Briggs wrote:
Each arch that supports audit requires syscall_get_arch() to able to log and
identify architecture-dependent syscall numbers. The information is used in
at
least two different
tried to use RCU for reading from vsnprintf() but Linus will not accept it.
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt
On 14/03/08, Tetsuo Handa wrote:
Richard Guy Briggs wrote:
Likewise, audit_log_untrustedstring(ab, current-comm) is racy.
If task-comm was Hello Linux until
audit_string_contains_control() in
audit_log_n_untrustedstring() returns false, and becomes Penguin
before
Paris epa...@redhat.com
Signed-off-by: Aristeu Rozanski aroza...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c | 10 --
1 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3bc12d2..d8a54ef 100644
This was fixed in RHEL6 as BZ 670328, but never upstreamed.
Eric Paris (1):
audit: include subject in login records
Richard Guy Briggs (1):
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
kernel/auditsc.c | 10 --
1 files changed, 4 insertions(+), 6 deletions
The new- prefix on ses and auid are un-necessary and break ausearch.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index eb01d47..3bc12d2 100644
--- a/kernel
(ab, tsk, context);
audit_log_key(ab, context-filterkey);
audit_log_end(ab);
--
1.7.9.5
--
Linux-audit mailing list
linux-au...@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel
The AUDIT_SECCOMP record looks something like this:
type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm=test sig=31
syscall=231 compat=0 ip=0x39ea8bca89 code=0x0
In order to determine what syscall 231
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote:
The AUDIT_SECCOMP record looks something like this:
type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325
ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm
On 14/02/14, Richard Guy Briggs wrote:
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote:
The AUDIT_SECCOMP record looks something like this:
type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325
ses=1 subj
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote:
On 14/02/14, Richard Guy Briggs wrote:
On 14/02/14, Eric Paris wrote:
On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote:
The AUDIT_SECCOMP record looks something like
On 14/02/18, Steve Grubb wrote:
On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote:
missing '=' but this isn't what audit_get_context() does... it's
crappy naming...I'd think a combo of audit_dummy_context() and
current-audit_context would be most appropriate
Andrew,
Are you willing to shepherd this patchset?
On 14/01/23, Richard Guy Briggs wrote:
These are a number of patches inspired by ebiederman's container work that
were
included by me 2013-08-20 as the patchset:
RFC: steps to make audit pid namespace-safe
They have been seperated
Test first to see if there are any userspace multicast listeners bound to the
socket before starting the multicast send work.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel
Register a netlink per-protocol bind fuction for audit to check userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/audit.c | 10 ++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git
://bugzilla.redhat.com/show_bug.cgi?id=887992
It needs a bit of massage to get past checkpatch.pl...
First posted:
https://www.redhat.com/archives/linux-audit/2013-January/msg8.html
https://lkml.org/lkml/2013/1/27/279
Richard Guy Briggs (5):
audit: move kaudit thread start from
1 - 100 of 2017 matches
Mail list logo