On the rebase of the following commit on the new seccomp actions_logged
function, one audit_context access was missed.
commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5
("audit: use inline function to get audit context")
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kern
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.
- p2/5: add audit header to init/init_task.c to quiet kbuildbot
- audit_signal_info(): fetch loginuid once
- remove task_struct from audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (3):
audit
On 2018-05-14 23:05, Richard Guy Briggs wrote:
> On 2018-05-14 17:44, Paul Moore wrote:
> > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > Recognizing that the audit context is an internal audit value, use an
> > > access funct
On 2018-05-14 17:44, Paul Moore wrote:
> On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > ra
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c | 18 +--
Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 6 ++
Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 2 +-
include/net/xfrm.h | 2 +-
include/uapi/linux/audit.h | 1 +
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h
audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (5):
audit: normalize loginuid read access
audit: convert sessionid unset to a macro
audit: use inline function to get audit context
audit: use
github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
MAINTAINERS| 2 +-
include/linux/audit.h | 10 +-
include/linux/audit_task.h | 31 +++
include/linux/sched.h | 6 ++
On 2018-05-10 17:21, Richard Guy Briggs wrote:
> On 2018-05-09 11:13, Paul Moore wrote:
> > On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > Recognizing that the loginuid is an internal audit value, use an access
> > > function to
On 2018-05-09 11:46, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
> &
On 2018-05-09 11:13, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Recognizing that the loginuid is an internal audit value, use an access
> > function to retrieve the audit loginuid value for the task rather than
On 2018-05-09 11:28, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > ra
On 2018-05-09 12:07, Tobin C. Harding wrote:
> On Fri, May 04, 2018 at 04:54:37PM -0400, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to set the audit context pointer for the task
> > rather t
On 2018-05-04 16:54, Richard Guy Briggs wrote:
> Use a macro, "AUDIT_SID_UNSET", to replace each instance of
> initialization and comparison to an audit session ID.
>
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
There's a minor issue with this patch, add
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c | 16
Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 2 +-
include/net/xfrm.h | 2 +-
include/uapi/linux/audit.h | 1 +
dynamic allocation would mostly hide any future
changes.
The first four access normalization patches could stand alone.
Passes audit-testsuite.
Richard Guy Briggs (5):
audit: normalize loginuid read access
audit: convert sessionid unset to a macro
audit: use inline function to get audit
Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h | 8
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h
kmem_cache to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
MAINTAINERS| 2 +-
include/linux/audit.h | 8 +
On 2017-05-24 19:37, Pablo Neira Ayuso wrote:
> On Thu, May 18, 2017 at 01:21:47PM -0400, Richard Guy Briggs wrote:
> > Git context diffs were being produced with unhelpful declaration types in
> > the
> > place of function names to help identify the funciton in which
On 2017-05-24 19:36, Pablo Neira Ayuso wrote:
> On Thu, May 18, 2017 at 01:21:49PM -0400, Richard Guy Briggs wrote:
> > There were syscall events unsolicited by any audit rule caused by a missing
> > !audit_dummy_context() check before creating an
> > iptables/ip6tabl
On 2017-05-24 19:31, Pablo Neira Ayuso wrote:
> Cc'ing Eric Biederman.
>
> On Thu, May 18, 2017 at 01:21:52PM -0400, Richard Guy Briggs wrote:
> > diff --git a/net/bridge/netfilter/ebtables.c
> > b/net/bridge/netfilter/ebtables.c
> > index 59b63a8..0f77b2a 100644
>
anied cases:
type=UNKNOWN[1331] msg=audit(1494815998.178:167): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=598
comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" op=replace net=121
family=10 table=filter entries=4
See: https://github.com
(1494815998.178:167): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=598
comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" op=replace family=10
table=filter entries=4
See: https://github.com/linux-audit/audit-kernel/issues/25
Signed
(1494723394.832:111): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=556
comm="ebtables-restor" exe="/usr/sbin/ebtables-restore" family=7 table=broute
entries=1
See: https://github.com/linux-audit/audit-kernel/issues/43
Signed-off-by: R
Git context diffs were being produced with unhelpful declaration types in the
place of function names to help identify the funciton in which changes were
made.
Normalize ebtables function declarations so that git context diff function
labels work as expected.
Signed-off-by: Richard Guy Briggs &l
Git context diffs were being produced with unhelpful declaration types in the
place of function names to help identify the funciton in which changes were
made.
Normalize x_table function declarations so that git context diff function
labels work as expected.
Signed-off-by: Richard Guy Briggs &l
b.com/linux-audit/audit-kernel/issues/35
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
include/linux/audit.h |4 +++-
include/uapi/linux/audit.h |1 +
kernel/auditsc.c|3 ++-
net/bridge/netfilter/ebtables.c | 25 +++--
ne
See: https://github.com/linux-audit/audit-kernel/issues/25
See: https://github.com/linux-audit/audit-kernel/issues/35
See: https://github.com/linux-audit/audit-kernel/issues/43
Richard Guy Briggs (6):
netfilter: normalize x_table function declarations
netfilter: normalize ebtables function de
On 2017-03-22 12:11, Pablo Neira Ayuso wrote:
> On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote:
> > Even though the skb->data pointer has been moved from the link layer
> > header to the network layer header, use the same method to calculate the
> >
(1487874761.381:227): mark=0x223894b7 saddr=::1
daddr=::1 proto=58^]
Issue: https://github.com/linux-audit/audit-kernel/issues/11
Test case: https://github.com/linux-audit/audit-testsuite/issues/43
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
v4:
Write out nfmark unmo
Even though the skb->data pointer has been moved from the link layer
header to the network layer header, use the same method to calculate the
offset in ipv4 and ipv6 routines.
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
net/netfilter/xt_AUDIT.c |2 +-
1 files c
On 2017-03-03 13:45, Florian Westphal wrote:
> Richard Guy Briggs <r...@redhat.com> wrote:
> > > Perhaps I'm missing something here, but let me ask again, how does
> > > userspace distinguish between an unset nfmark and a nfmark of
> > > 0x?
>
On 2017-03-03 14:22, Florian Westphal wrote:
> Paul Moore <p...@paul-moore.com> wrote:
> > On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <f...@strlen.de> wrote:
> > > Richard Guy Briggs <r...@redhat.com> wrote:
> > >> > Perhaps I'm mis
On 2017-03-02 21:54, Paul Moore wrote:
> On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-03-02 19:16, Paul Moore wrote:
> >> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> >>
On 2017-03-02 19:16, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-03-01 17:19, Paul Moore wrote:
> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
>
On 2017-03-01 17:19, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-28 17:22, Paul Moore wrote:
> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
> >
On 2017-02-28 17:22, Paul Moore wrote:
> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > Eliminate flipping in and out of message fields, dropping fields in the
> > process.
> >
> > Sample raw message format IPv4 UDP:
On 2017-02-13 19:24, Richard Guy Briggs wrote:
> On 2017-02-13 18:50, Paul Moore wrote:
> > On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > > useless?smac, dmac, macproto
> >
> > Probably useless in the majori
(1487874761.381:227): mark=0x223894b7 saddr=::1
daddr=::1 proto=58^]
Issue: https://github.com/linux-audit/audit-kernel/issues/11
Test case: https://github.com/linux-audit/audit-testsuite/issues/43
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
net/netfilter/xt_AUDIT.c
On 2017-02-23 12:20, Steve Grubb wrote:
> On Wednesday, February 22, 2017 9:50:54 PM EST Richard Guy Briggs wrote:
> > Simplify and eliminate flipping in and out of message fields, relying on
> > nfmark the way we do for audit_key.
> >
> > https://github.com/linux-a
On 2017-02-23 18:06, Florian Westphal wrote:
> Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-23 11:57, Paul Moore wrote:
> > > On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs <r...@redhat.com>
> > > wrote:
> > > > On 2017-02-23
On 2017-02-23 12:06, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-23 11:57, Paul Moore wrote:
> >> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
>
On 2017-02-23 11:57, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-23 06:20, Florian Westphal wrote:
> >> Richard Guy Briggs <r...@redhat.com> wrote:
> >> > Simplify and eliminate flip
On 2017-02-23 06:20, Florian Westphal wrote:
> Richard Guy Briggs <r...@redhat.com> wrote:
> > Simplify and eliminate flipping in and out of message fields, relying on
> > nfmark
> > the way we do for audit_key.
> >
> > +struct nfpkt_par {
>
7074abe0dddfc487aeeae6cff.1487813996.git@redhat.com>
>
> Hi Richard,
>
> [auto build test WARNING on v4.9-rc8]
> [cannot apply to nf-next/master next-20170222]
> [if your patch is applied to the wrong git tree, please drop us a note to
> help improve the sys
On 2017-02-16 20:57, Paul Moore wrote:
> [NOTE: I'll respond back to the other part of your email later but I'm
> running out of time in the day and this was a quick but important
> response]
>
> On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs <r...@redhat.com> wrote:
&g
On 2017-02-14 16:06, Paul Moore wrote:
> On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-13 18:50, Paul Moore wrote:
> >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <r...@redhat.com>
> >> wrote:
>
On 2017-02-14 16:31, Steve Grubb wrote:
> On Monday, February 13, 2017 3:50:05 PM EST Richard Guy Briggs wrote:
> > > > > > The alternatives that I currently see are to drop packets for which
> > > > > > there is no local process ownership, or to leave
On 2017-02-13 18:50, Paul Moore wrote:
> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-13 12:57, Steve Grubb wrote:
> >> On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote:
> >> > On
On 2017-02-13 12:57, Steve Grubb wrote:
> On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote:
> > On 2017-02-10 17:39, Steve Grubb wrote:
> > > > The alternatives that I currently see are to drop packets for which
> > > > there is no loc
On 2017-02-10 17:39, Steve Grubb wrote:
> On Thursday, February 9, 2017 8:12:47 PM EST Richard Guy Briggs wrote:
> > On 2017-02-09 19:09, Steve Grubb wrote:
> > > On Thursday, February 9, 2017 6:49:38 PM EST Richard Guy Briggs wrote:
> > > > On 2017-02-08 18:09, Paul
On 2017-02-08 18:09, Paul Moore wrote:
> On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb <sgr...@redhat.com> wrote:
> > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:
> >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>
On 2017-02-08 18:11, Paul Moore wrote:
> On Wed, Feb 8, 2017 at 7:32 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-02-07 23:02, Paul Moore wrote:
> >> On Tue, Feb 7, 2017 at 4:22 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> >>
omething we can
> use to arrive at a working implementation that satisfies these
> requirements.
>
> If this is purely about information flowing from A to B, would the
> source and destination addr/proto/port for TCP and UDP suffice? Do we
> need anything else?
>
> --
On 2017-01-20 09:49, Steve Grubb wrote:
> On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote:
> > On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs <r...@redhat.com>
> > wrote:
> > > On 2017-01-18 07:32, Paul Moore wrote:
> > >> On Wed, Ja
On 2017-01-30 15:53, Steve Grubb wrote:
> On Fri, 27 Jan 2017 08:11:06 -0500
> Richard Guy Briggs <r...@redhat.com> wrote:
> > Eliminate flipping in and out of message fields.
> >
> > https://github.com/linux-audit/audit-kernel/issues/11
>
> Do you have sampl
Eliminate flipping in and out of message fields.
https://github.com/linux-audit/audit-kernel/issues/11
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
net/netfilter/xt_AUDIT.c | 92 +-
1 files changed, 66 insertions(+), 26 deletions(-)
nternet browsers for example).
> >The Linux audit subsystem simply logs system events, it does not
> >enforce security policy. I suggest you investigate the different
> >Linux firewall tools and LSMs, e.g. SELinux, as they should help you
> >accomplish what you describe.
> >
On 2017-01-18 07:32, Paul Moore wrote:
> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-01-17 21:34, Richard Guy Briggs wrote:
> >> On 2017-01-17 15:17, Paul Moore wrote:
> >> > On Tue, Jan 17, 2017 at 11:12 AM,
On 2017-01-17 21:34, Richard Guy Briggs wrote:
> On 2017-01-17 15:17, Paul Moore wrote:
> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs <r...@redhat.com>
> > wrote:
> > > On 2017-01-17 08:55, Steve Grubb wrote:
> > >> On Tuesday, January 17, 201
On 2017-01-17 15:17, Paul Moore wrote:
> On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> > On 2017-01-17 08:55, Steve Grubb wrote:
> >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
>
> ...
>
> >&
On 2017-01-17 11:12, Richard Guy Briggs wrote:
> On 2017-01-17 08:55, Steve Grubb wrote:
> > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> > > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
> > > event m
On 2017-01-17 08:55, Steve Grubb wrote:
> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
> > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
> > event messages and it is not quite as straightforward as I had expected.
> >
> &g
ot;, I don't see a problem since it isn't conditionally compiled out
and won't be mis-interpreted. In the case of "secmark=", it could be
mis-interpreted as offload_fwd_mark if that field is even compiled in,
but that would be addressed in the compiler directive...
One last question: Does anyone have a
69 matches
Mail list logo