Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: Andrew Morton a...@linux-foundation.org writes: On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com wrote: audit rule additions containing -F auid!=4294967295 were failing with EINVAL. The only case

Re: [PATCH] vfs: fix audit_inode call in O_CREAT case of do_last

calls to match the wrong entry in the audit_names list. This patch simply sets the flag to properly indicate that this inode represents the parent. With this, the audit_names entries are back to looking like they did before. This patch fixes the problem for me. Tested-by: Richard Guy Briggs

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: Andrew Morton a...@linux-foundation.org writes: On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com wrote: audit rule additions containing -F auid!=4294967295 were failing with EINVAL. UID_INVALID

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

On Tue, Apr 09, 2013 at 02:16:22PM -0700, Eric W. Biederman wrote: Steve Grubb sgr...@redhat.com writes: On Tuesday, April 09, 2013 02:39:32 AM Eric W. Biederman wrote: Andrew Morton a...@linux-foundation.org writes: On Wed, 20 Mar 2013 15:18:17 -0400 Richard Guy Briggs r...@redhat.com

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

On Wed, Apr 10, 2013 at 12:20:18PM -0400, Richard Guy Briggs wrote: On Tue, Apr 09, 2013 at 02:16:22PM -0700, Eric W. Biederman wrote: Steve Grubb sgr...@redhat.com writes: On Tuesday, April 09, 2013 02:39:32 AM Eric W. Biederman wrote: Andrew Morton a...@linux-foundation.org writes

Re: [PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

On Wed, Apr 10, 2013 at 11:02:43AM -0700, Eric W. Biederman wrote: Richard Guy Briggs r...@redhat.com writes: On Tue, Apr 09, 2013 at 02:39:32AM -0700, Eric W. Biederman wrote: @@ -377,6 +383,12 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule

[PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data

of ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (2012-09-11) to fix this. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditfilter.c | 12 1 files changed, 0 insertions(+), 12 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f9fc54b..457ee39 100644 --- a/kernel

[PATCH] thermal: return an error on failure to register thermal class

was re-used to catch the return code of the registration of the genetlink thermal socket family. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- drivers/thermal/thermal_sys.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/thermal/thermal_sys.c b/drivers/thermal/thermal_sys.c

[PATCH 0/6] audit: add restricted capability read-only netlink multicast socket

From: Richard Guy Briggs r...@redhat.com Hi, This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kaudit to enable userspace clients such as systemd to consume audit logs, in addition to the bidirectional auditd userspace

[PATCH 4/6] netlink: add send and receive capability requirement and capability flags

From: Richard Guy Briggs r...@redhat.com Currently netlink socket permissions are controlled by the NL_CFG_F_NONROOT_{RECV,SEND} flags in the kernel socket configuration or by the CAP_NET_ADMIN capability of the client. The former allows non-root users access to the socket. The latter allows

[PATCH 1/6] audit: refactor hold queue flush

From: Richard Guy Briggs r...@redhat.com The hold queue flush code is an autonomous chunk of code that can be refactored, removed from kauditd_thread() into flush_hold_queue() and flattenned for better legibility. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- This is a code clean up

[PATCH 3/6] audit: move kaudit thread start from auditd registration to kaudit init

From: Richard Guy Briggs r...@redhat.com The kauditd_thread() task was started only after the auditd userspace daemon registers itself with kaudit. This was fine when only auditd consumed messages from the kaudit netlink unicast socket. With the addition of a multicast group to that socket

[PATCH 2/6] audit: flatten kauditd_thread wait queue code

From: Richard Guy Briggs r...@redhat.com The wait queue control code in kauditd_thread() was nested deeper than necessary. The function has been flattened for better legibility. Signed-off-by: Richard Guy Briggs rbri...@redhat.com --- This is a code clean up in preparation to add a multicast

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

On Thu, Aug 22, 2013 at 09:08:48PM +0200, Oleg Nesterov wrote: On 08/20, Richard Guy Briggs wrote: static inline int is_global_init(struct task_struct *tsk) { - return tsk-pid == 1; + return task_pid_nr(tsk) == 1; } Probably it would be better to simply kill it. Almost every

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

On Fri, Aug 23, 2013 at 08:36:21AM +0200, Peter Zijlstra wrote: On Thu, Aug 22, 2013 at 05:43:47PM -0400, Richard Guy Briggs wrote: On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote: On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote: This stops these four

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

On Fri, Aug 23, 2013 at 09:28:07PM +0200, Oleg Nesterov wrote: On 08/22, Richard Guy Briggs wrote: On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote: Why would you ever want to do this? It just makes these tests more expensive for no gain what so ff'ing ever. Backups

[PATCH 06/12] audit: Simplify and correct audit_log_capset

ebied...@xmission.com (cherry picked from commit bcc85f0af31af123e32858069eb2ad8f39f90e67) Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |6 +++--- kernel/auditsc.c |6 ++ kernel/capability.c |2 +- 3 files changed, 6 insertions(+), 8 deletions

[PATCH 03/12] pid: get ppid pid_t of task in init_pid_ns safely

to the child process' pid namespace. (informed by ebiederman's 6c621b7e) Cc: sta...@vger.kernel.org Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h | 23 +++ 1 files changed, 23 insertions(+), 0 deletions

[PATCH 09/12] pid: modify task_pid_nr to work without task-pid.

task-pid is an error prone construct and results in duplicate maintenance. Start it's demise by modifying task_pid_nr to not use it. (informed by ebiederman's 3a2e8c59) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h |2

[PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

This stops these four task helper functions from using the deprecated and error-prone task-pid and task-tgid. (informed by ebiederman's ea5a4d01) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h |8 1 files

[PATCH 12/12] pid: mark struct task const in helper functions

It doesn't make any sense to recallers to pass in a non-const struct task so update the function signatures to only require a const struct task. (informed by ebiederman's c76b2526) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux

[PATCH 10/12] pid: modify task_tgid_nr to work without task-tgid.

task-tgid is an error prone construct and results in duplicate maintenance. Start it's demise by modifying task_tgid_nr to not use it. Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/sched.h |2 +- 1 files changed, 1 insertions

[PATCH 08/12] audit: anchor all pid references in the initial pid namespace

. Cc: Eric W. Biederman ebied...@xmission.com (informed by ebiederman's c776b5d2) Signed-off-by: Richard Guy Briggs r...@redhat.com --- drivers/tty/tty_audit.c |3 ++- kernel/audit.c | 15 ++- kernel/auditfilter.c | 17

[PATCH 07/12] audit: store audit_pid as a struct pid pointer

into the initial pid namespace for reports (informed by ebiederman's 5bf431da) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 25 +++-- kernel/audit.h |4 ++-- kernel/auditsc.c |6 +++--- 3 files changed

[PATCH 02/12] audit: fix netlink portid naming and types

. Ports use the __u32 type, so re-type all portids accordingly. (This patch is very similar to ebiederman's 5deadd69) Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h |2 +- kernel/audit.c| 32 kernel/audit.h|8

[PATCH 05/12] pid: get pid_t of task in init_pid_ns correctly

a clear abstraction of the frequently used init_pid_ns in task_pid_nr_ns() and task_tgid_nr_ns(). Also added pid_nr_init_ns() to explicitly use init_pid_ns. (informed by ebiederman's 3a2e8c59) Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- include

[PATCH 04/12] audit: convert PPIDs to the inital PID namespace.

to task_ppid_nr_init_ns() for PPIDs to anchor all audit filters in the init_pid_ns. (informed by ebiederman's 6c621b7e) Cc: sta...@vger.kernel.org Cc: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c|4 ++-- kernel/auditsc.c

[PATCH 01/12] audit: Kill the unused struct audit_aux_data_capset

From: Eric W. Biederman ebied...@xmission.com Signed-off-by: Eric W. Biederman ebied...@xmission.com (cherry picked from commit 6904431d6b41190e42d6b94430b67cb4e7e6a4b7) Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |6 -- 1 files changed, 0 insertions(+), 6

[PATCH 00/12] RFC: steps to make audit pid namespace-safe

it. Discuss. Eric W. Biederman (5): audit: Kill the unused struct audit_aux_data_capset audit: Simplify and correct audit_log_capset Richard Guy Briggs (7): audit: fix netlink portid naming and types pid: get ppid pid_t of task in init_pid_ns safely audit: convert PPIDs to the inital PID

Re: [PATCH 11/12] pid: rewrite task helper functions avoiding task-pid and task-tgid

On Thu, Aug 22, 2013 at 10:05:55PM +0200, Peter Zijlstra wrote: On Tue, Aug 20, 2013 at 05:32:03PM -0400, Richard Guy Briggs wrote: This stops these four task helper functions from using the deprecated and error-prone task-pid and task-tgid. (informed by ebiederman's ea5a4d01) Cc: Eric

[PATCH] audit: restore order of tty and ses fields in log output

Guy Briggs r...@redhat.com --- kernel/audit.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..63b2dd5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1590,7 +1590,7 @@ void audit_log_task_info(struct audit_buffer *ab

[PATCH] audit: listen in all network namespaces

Convert audit from only listening in init_net to use register_pernet_subsys() to dynamically manage the netlink socket list. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 64 ++- kernel/audit.h |4 +++ 2 files

[PATCH] kaudit: prevent an older auditd shutdown from orphaning a newer auditd startup

that specific case, returning an error of EACCES. The case for preventing a newer auditd from registering itself if there is an existing auditd is a more difficult case that is beyond the scope of this patch. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 ++ 1 files changed

Re: [RFC Part1 PATCH 00/20 v2] Add namespace support for audit

-- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line unsubscribe linux-kernel

Re: [RFC] audit: avoid soft lockup in audit_log_start()

of the same bug, so it is getting around... - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line

[PATCH] audit: format user messages to size of MAX_AUDIT_MESSAGE_LENGTH

-by: Justin Stephenson jstep...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..939cff1 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -715,7 +715,7

Re: [PATCH] audit: fix endless wait in audit_log_start()

to work. This is minimal patch for that bug. Thanks Konstantin, This patch is in my patchset... Signed-off-by: Konstantin Khlebnikov khlebni...@openvz.org Cc: Andrew Morton a...@linux-foundation.org Cc: Luiz Capitulino lcapitul...@redhat.com Cc: Richard Guy Briggs r...@redhat.com Cc: Eric

[PATCH] audit: remove newline accidentally added during session id helper refactor

A newline was accidentally added during session ID helper refactorization in commit 4d3fb709. This needlessly uses up buffer space, messes up syslog formatting and makes userspace processing less efficient. Remove it. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2

[PATCH 2/8] audit: reset audit backlog wait time after error recovery

-by: Luiz Capitulino lcapitul...@redhat.com Signed-off-by: Dan Duval dan.du...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/kernel

[PATCH 7/8] audit: clean up AUDIT_GET/SET local variables and future-proof API

Re-named confusing local variable names (status_set and status_get didn't agree with their command type name) and reduced their scope. Future-proof API changes by not depending on the exact size of the audit_status struct. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c

[PATCH 3/8] audit: make use of remaining sleep time from wait_for_auditd

If wait_for_auditd() times out, go immediately to the error function rather than retesting the loop conditions. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 12 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c

[PATCH 8/8] audit: add audit_backlog_wait_time configuration option

reaahead-collector abuses the audit logging facility to discover which files are accessed at boot time to make a pre-load list Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up, or gets blocked, the callers won't be blocked. Signed-off-by: Richard Guy Briggs r

[PATCH 0/8] Audit backlog queue fixes related to soft lockup

and 8th are to add a config option to make the backlog wait time configurable from the hard-coded default. Richard Guy Briggs (8): audit: avoid soft lockup due to audit_log_start() incorrect loop termination audit: reset audit backlog wait time after error recovery audit: make use

[PATCH 1/8] audit: avoid soft lockup due to audit_log_start() incorrect loop termination

Khlebnikov khlebni...@openvz.org Signed-off-by: Dan Duval dan.du...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel

[PATCH 4/8] audit: efficiency fix 1: only wake up if queue shorter than backlog limit

...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 42c68db..25fab2d 100644 --- a/kernel/audit.c

[PATCH 5/8] audit: efficiency fix 2: request exclusive wait since all need same resource

://lkml.org/lkml/2013/9/2/479 Signed-off-by: Dan Duval dan.du...@oracle.com Signed-off-by: Chuck Anderson chuck.ander...@oracle.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel

[PATCH 6/8] audit: add boot option to override default backlog limit

the lost messages without compiling a new kernel. This patch adds a boot option (audit already has one to enable/disable it) audit_backlog_limit=n that overrides the default to allow the system administrator to set the backlog limit. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel

Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option

On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote: On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote: reaahead-collector abuses the audit logging facility to discover which files are accessed at boot time to make a pre-load list Add a tuning option

[PATCH 2/3] smack: call WARN_ONCE() instead of calling audit_log_start()

-by: Richard Guy Briggs r...@redhat.com --- security/smack/smack_lsm.c |5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8825375..185e2e7 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c

[PATCH 3/3] audit: drop audit_cmd_lock in AUDIT_USER family of cases

audit_log_start(). In particular, watch out for *_audit_rule_match(). This fix will take care of systemd and anything USING audit. It still means that we could race with something configuring audit and auditd shutting down. Signed-off-by: Richard Guy Briggs r...@tricolour.ca Signed-off-by: Richard Guy Briggs

[PATCH 0/3] audit: remove audit_log_start() contention in AUDIT_USER type calls

trim_marked(). It may make sense to have trim_marked() send its queue through a new thread. Richard Guy Briggs (3): selinux: call WARN_ONCE() instead of calling audit_log_start() smack: call WARN_ONCE() instead of calling audit_log_start() audit: drop audit_cmd_lock in AUDIT_USER family

[PATCH 1/3] selinux: call WARN_ONCE() instead of calling audit_log_start()

() in this location makes buffer allocation and locking more complicated in the calling tree (audit_filter_user()). Signed-off-by: Richard Guy Briggs r...@redhat.com --- security/selinux/ss/services.c | 12 1 files changed, 4 insertions(+), 8 deletions(-) diff --git a/security

[PATCH] audit: process errors from filter user rules

Errors from filter user rules were previously ignored, and worse, an error on a AUDIT_NEVER rule disabled logging on that rule. On -ESTALE, retry up to 5 times. On error on AUDIT_NEVER rules, log. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 +- kernel

race in audit_log_untrusted_string for task_struct::comm

) please find the get_task_comm() patch and the alternate memcpy() patch. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt

[PATCH] audit: get comm using lock to avoid race in string printing

--- kernel/audit.c |5 ++--- kernel/auditsc.c |9 + 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 9239e5e..5b600c8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1883,7 +1883,7 @@ EXPORT_SYMBOL(audit_log_task_context);

[PATCH] audit: copy comm to avoid race in string printing

--- kernel/audit.c |5 ++--- kernel/auditsc.c |3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 9239e5e..ecb08a5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1883,7 +1883,7 @@ EXPORT_SYMBOL(audit_log_task_context); void

Re: [PATCH] audit: Use struct net not pid_t to remember the network namespce to reply in

simply not being present). Signed-off-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@tricolour.ca --- kernel/audit.c | 10 ++ kernel/audit.h |2 +- kernel/auditfilter.c |3 ++- 3 files changed, 9 insertions(+), 6 deletions

Re: [PATCH] audit: Send replies in the proper network namespace.

to the appropiate socket. Signed-off-by: Eric W. Biederman ebied...@xmission.com Signed-off-by: Richard Guy Briggs r...@tricolour.ca --- This is an incremental change on top of my previous patch to guarantee that replies always happen in the appropriate network namespace. include/linux

Re: [GIT PULL] namespaces fixes for 3.14-rcX

as you, but continuing to suggest people don't care is starting to get abusive. In any case, since I haven't sent them to Linus and I'm glad that is done, so feel free to consider this me Acking the pull request. Eric - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer

Re: [PATCH] audit: Use struct net not pid_t to remember the network namespce to reply in

On 14/03/16, Richard Guy Briggs wrote: On 14/02/28, Eric W. Biederman wrote: While reading through 3.14-rc1 I found a pretty siginficant mishandling of network namespaces in the recent audit changes. In struct audit_netlink_list and audit_reply add a reference to the network

Re: [PATCH] audit: Send replies in the proper network namespace.

On 14/03/16, Richard Guy Briggs wrote: On 14/02/28, Eric W. Biederman wrote: In perverse cases of file descriptor passing the current network namespace of a process and the network namespace of a socket used by that socket may differ. Therefore use the network namespace

Re: [PATCH_v5] audit: Add generic compat syscall support

system call names * select CONFIG_AUDIT_ARCH_COMPAT_GENERIC Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org Signed-off-by: Richard Guy Briggs r...@redhat.com --- include/linux/audit.h | 8 include/uapi/linux/audit.h | 6 ++ lib/Kconfig| 9

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

done on entry. Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org Minor variable mis-spelling of scratch noted below, but other than that: Acked-by: Richard Guy Briggs r...@redhat.com --- arch/arm64/kernel/entry.S | 10 -- arch/arm64/kernel/ptrace.c | 50

Re: [PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

is still necessary in ptrace.c and process.c because they use is_compat_thread(). Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org Acked-by: Richard Guy Briggs r...@redhat.com --- arch/arm64/include/asm/compat.h | 5 - arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64

Re: [PATCH 4/7] pid: modify task_tgid_nr to work without task-tgid.

On 14/02/20, Oleg Nesterov wrote: On 01/23, Richard Guy Briggs wrote: task-tgid is an error prone construct and results in duplicate maintenance. Start it's demise by modifying task_tgid_nr to not use it. Well, I disagree. Yes I agree that -tgid should probably die. But this change

Re: [ARCH question] Do syscall_get_nr and syscall_get_arguments always work?

on at least s390x. Others may have it missing too, but the build quit on discovering that one. I guess that, if the syscall restart logic needs to read the argument registers, then they're probably reliably saved... --Andy - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software

Re: [PATCH] audit: add arch field to seccomp event log

On 14/02/19, Richard Guy Briggs wrote: On 14/02/18, Richard Guy Briggs wrote: On 14/02/18, Steve Grubb wrote: On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote: missing '=' but this isn't what audit_get_context() does... it's crappy naming...I'd think

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

it with HAVE_ARCH_AUDITSYSCALL for simplicity. Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org Acked-by: Richard Guy Briggs r...@redhat.com --- arch/alpha/Kconfig |1 + arch/arm/Kconfig |1 + arch/ia64/Kconfig |1 + arch/parisc/Kconfig|1 + arch

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

On 14/02/28, Will Deacon wrote: On Fri, Feb 28, 2014 at 05:17:15AM +, AKASHI Takahiro wrote: This patch adds auditing functions on entry to or exit from every system call invocation. Acked-by: Richard Guy Briggs r...@redhat.com Signed-off-by: AKASHI Takahiro takahiro.aka

Re: [PATCH] audit: Use struct net not pid_t to remember the network namespce to reply in

; - dest-pid = task_pid_vnr(current); skb_queue_head_init(dest-q); mutex_lock(audit_filter_mutex); -- 1.7.5.4 - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice

[PATCH] audit: don't generate loginuid log when audit disabled

From: Gao feng gaof...@cn.fujitsu.com If audit is disabled, we shouldn't generate loginuid audit log. Cc: sta...@vger.kernel.org # v3.13-rc1 Acked-by: Eric Paris epa...@redhat.com Signed-off-by: Gao feng gaof...@cn.fujitsu.com Signed-off-by: Richard Guy Briggs r...@redhat.com Signed-off-by: Eric

Re: [PATCH] audit: don't generate loginuid log when audit disabled

On 14/03/03, Greg KH wrote: On Mon, Mar 03, 2014 at 05:30:50PM -0500, Richard Guy Briggs wrote: From: Gao feng gaof...@cn.fujitsu.com If audit is disabled, we shouldn't generate loginuid audit log. Cc: sta...@vger.kernel.org # v3.13-rc1 Acked-by: Eric Paris epa...@redhat.com

Re: [PATCH v6 1/2] arm64: Add audit support

On 14/02/28, AKASHI Takahiro wrote: On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required. Acked-by Will Deacon will.dea...@arm.com Acked-by: Richard Guy Briggs r...@redhat.com Signed-off-by: AKASHI Takahiro

[PATCH 2/6][RFC] audit: add arch field to seccomp event log

-m SECCOMP -i Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3bc12d2..7317f46 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7

[PATCH 4/6][RFC] audit: drop arch from audit_syscall_entry() interface

Make audit_syscall_entry() ignore the arch parameter passed to it and call syscall_get_arch() locally. Remove arch from the audit_syscall_entry() parameter list. Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/arm/kernel/ptrace.c|2 +- arch/ia64/kernel/ptrace.c

[PATCH 5/6][RFC] audit: drop args from syscall_get_arch() interface

Since all callers of syscall_get_arch() call with task current and none of the arch-dependent functions use the regs parameter (which could just as easily be found with task_pt_regs()), delete both parameters. Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/arm/include/asm/syscall.h

[PATCH 3/6][RFC] audit: __audit_syscall_entry: ignore arch arg and call syscall_get_arch() directly

the kernel internal to the user api version to get the architecture numbers, but to avoid a circular header reference between audit and syscall.h Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/arm/include/asm/syscall.h|2 +- arch/ia64/include/asm/syscall.h |2 +- arch

[PATCH 6/6][RFC] audit: drop arch from __audit_syscall_entry() interface

Since arch is found locally in __audit_syscall_entry(), there is no need to pass it in as a parameter. Delete it from the parameter list. x86* was the only arch to call __audit_syscall_entry() directly and did so from assembly code. Signed-off-by: Richard Guy Briggs r...@redhat.com --- Can I

[PATCH 0/6][RFC] audit: standardize and simplify syscall_get_arch()

around arch, current and regs in __audit_syscall_entry() and audit_syscall_entry(). Compiles and runs on i686, x86_64, ppc, ppc64, s390, s390x, manually tested in an x86_64 VM. aarch64 will be added soon. Richard Guy Briggs (6): syscall: define syscall_get_arch() for each audit-supported arch

[PATCH 1/6][RFC] syscall: define syscall_get_arch() for each audit-supported arch

Each arch that supports audit requires syscall_get_arch() to able to log and identify architecture-dependent syscall numbers. The information is used in at least two different subsystems, so standardize it in the same call across all arches. Signed-off-by: Richard Guy Briggs r...@redhat.com

Re: [PATCH] audit: remove stray newlines from audit_log_lost messages

=%d\n, audit_pid); - audit_log_lost(auditd disappeared\n); + audit_log_lost(auditd disappeared); audit_pid = 0; audit_sock = NULL; } -- 1.8.5.3 - RGB -- Richard Guy Briggs rbri...@redhat.com

Re: [PATCH 1/6][RFC] syscall: define syscall_get_arch() for each audit-supported arch

On 14/03/05, Richard Guy Briggs wrote: Each arch that supports audit requires syscall_get_arch() to able to log and identify architecture-dependent syscall numbers. The information is used in at least two different subsystems, so standardize it in the same call across all arches. I just

Re: [PATCH] audit: remove stray newlines from audit_log_lost messages

On 14/03/05, Joe Perches wrote: On Wed, 2014-03-05 at 17:27 -0500, Richard Guy Briggs wrote: On 14/03/05, Josh Boyer wrote: Calling audit_log_lost with a \n in the format string leads to extra newlines in dmesg. That function will eventually call audit_panic which uses pr_err

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

On 14/03/06, AKASHI Takahiro wrote: On 03/01/2014 01:15 AM, Will Deacon wrote: On Fri, Feb 28, 2014 at 05:17:15AM +, AKASHI Takahiro wrote: This patch adds auditing functions on entry to or exit from every system call invocation. Acked-by: Richard Guy Briggs r...@redhat.com Signed-off

Re: [PATCH 1/6][RFC] syscall: define syscall_get_arch() for each audit-supported arch

On 14/03/06, Markos Chandras wrote: Hi Richard, Hi Markos, On 03/05/2014 09:27 PM, Richard Guy Briggs wrote: Each arch that supports audit requires syscall_get_arch() to able to log and identify architecture-dependent syscall numbers. The information is used in at least two different

Re: [PATCH] Change task_struct-comm to use RCU.

tried to use RCU for reading from vsnprintf() but Linus will not accept it. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt

Re: [PATCH] Change task_struct-comm to use RCU.

On 14/03/08, Tetsuo Handa wrote: Richard Guy Briggs wrote: Likewise, audit_log_untrustedstring(ab, current-comm) is racy. If task-comm was Hello Linux until audit_string_contains_control() in audit_log_n_untrustedstring() returns false, and becomes Penguin before

[PATCH 2/2] audit: include subject in login records

Paris epa...@redhat.com Signed-off-by: Aristeu Rozanski aroza...@redhat.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c | 10 -- 1 files changed, 4 insertions(+), 6 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3bc12d2..d8a54ef 100644

[PATCH 0/2] kernel AUDIT_LOGIN event is missing subject label

This was fixed in RHEL6 as BZ 670328, but never upstreamed. Eric Paris (1): audit: include subject in login records Richard Guy Briggs (1): audit: remove superfluous new- prefix in AUDIT_LOGIN messages kernel/auditsc.c | 10 -- 1 files changed, 4 insertions(+), 6 deletions

[PATCH 1/2] audit: remove superfluous new- prefix in AUDIT_LOGIN messages

The new- prefix on ses and auid are un-necessary and break ausearch. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index eb01d47..3bc12d2 100644 --- a/kernel

Re: [RFC][PATCH 3/3] audit: Audit proc cmdline value

(ab, tsk, context); audit_log_key(ab, context-filterkey); audit_log_end(ab); -- 1.7.9.5 -- Linux-audit mailing list linux-au...@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel

[PATCH] audit: add arch field to seccomp event log

The AUDIT_SECCOMP record looks something like this: type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm=test sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 In order to determine what syscall 231

Re: [PATCH] audit: add arch field to seccomp event log

On 14/02/14, Eric Paris wrote: On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: The AUDIT_SECCOMP record looks something like this: type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm

Re: [PATCH] audit: add arch field to seccomp event log

On 14/02/14, Richard Guy Briggs wrote: On 14/02/14, Eric Paris wrote: On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: The AUDIT_SECCOMP record looks something like this: type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj

Re: [PATCH] audit: add arch field to seccomp event log

On 14/02/14, Eric Paris wrote: On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote: On 14/02/14, Richard Guy Briggs wrote: On 14/02/14, Eric Paris wrote: On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: The AUDIT_SECCOMP record looks something like

Re: [PATCH] audit: add arch field to seccomp event log

On 14/02/18, Steve Grubb wrote: On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote: missing '=' but this isn't what audit_get_context() does... it's crappy naming...I'd think a combo of audit_dummy_context() and current-audit_context would be most appropriate

Re: [PATCH 0/7][RFC] pid: changes to support audit

Andrew, Are you willing to shepherd this patchset? On 14/01/23, Richard Guy Briggs wrote: These are a number of patches inspired by ebiederman's container work that were included by me 2013-08-20 as the patchset: RFC: steps to make audit pid namespace-safe They have been seperated

[PATCH 5/5] audit: send multicast messages only if there are listeners

Test first to see if there are any userspace multicast listeners bound to the socket before starting the multicast send work. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/kernel/audit.c b/kernel

[PATCH 3/5] audit: add netlink audit protocol bind to check capabilities on multicast join

Register a netlink per-protocol bind fuction for audit to check userspace process capabilities before allowing a multicast group connection. Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/audit.c | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git

[PATCH 0/5] audit: add restricted capability read-only netlink multicast socket

://bugzilla.redhat.com/show_bug.cgi?id=887992 It needs a bit of massage to get past checkpatch.pl... First posted: https://www.redhat.com/archives/linux-audit/2013-January/msg8.html https://lkml.org/lkml/2013/1/27/279 Richard Guy Briggs (5): audit: move kaudit thread start from

  1   2   3   4   5   6   7   8   9   10   >