#
eb84a20e |
| 29-Sep-2006 |
Alan Cox <alan@lxorguk.ukuu.org.uk> |
[PATCH] audit/accounting: tty locking
Add tty locking around the audit and accounting code.
The whole current->signal-> locking is all deeply strange but it's for someone else to sort out. Add rat
[PATCH] audit/accounting: tty locking
Add tty locking around the audit and accounting code.
The whole current->signal-> locking is all deeply strange but it's for someone else to sort out. Add rather than replace the lock for acct.c
Signed-off-by: Alan Cox <alan@redhat.com> Acked-by: Arjan van de Ven <arjan@linux.intel.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
show more ...
|
#
1a70cd40 |
| 26-Sep-2006 |
Stephen Smalley <sds@tycho.nsa.gov> |
[PATCH] selinux: rename selinux_ctxid_to_string
Rename selinux_ctxid_to_string to selinux_sid_to_string to be consistent with other interfaces.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Ac
[PATCH] selinux: rename selinux_ctxid_to_string
Rename selinux_ctxid_to_string to selinux_sid_to_string to be consistent with other interfaces.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
show more ...
|
#
62bac018 |
| 26-Sep-2006 |
Stephen Smalley <sds@tycho.nsa.gov> |
[PATCH] selinux: eliminate selinux_task_ctxid
Eliminate selinux_task_ctxid since it duplicates selinux_task_get_sid.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorr
[PATCH] selinux: eliminate selinux_task_ctxid
Eliminate selinux_task_ctxid since it duplicates selinux_task_get_sid.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
show more ...
|
#
55669bfa |
| 31-Aug-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] audit: AUDIT_PERM support
add support for AUDIT_PERM predicate
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
3f2792ff |
| 16-Jul-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] take filling ->pid, etc. out of audit_get_context()
move that stuff downstream and into the only branch where it'll be used.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
5ac3a9c2 |
| 16-Jul-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] don't bother with aux entires for dummy context
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
d51374ad |
| 03-Aug-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] mark context of syscall entered with no rules as dummy
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
471a5c7c |
| 10-Jul-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] introduce audit rules counter
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
73d3ec5a |
| 13-Jul-2006 |
Amy Griffis <amy.griffis@hp.com> |
[PATCH] fix missed create event for directory audit
When an object is created via a symlink into an audited directory, audit misses the event due to not having collected the inode data for the direc
[PATCH] fix missed create event for directory audit
When an object is created via a symlink into an audited directory, audit misses the event due to not having collected the inode data for the directory. Modify __audit_inode_child() to copy the parent inode data if a parent wasn't found in audit_names[].
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
3e2efce0 |
| 13-Jul-2006 |
Amy Griffis <amy.griffis@hp.com> |
[PATCH] fix faulty inode data collection for open() with O_CREAT
When the specified path is an existing file or when it is a symlink, audit collects the wrong inode number, which causes it to miss t
[PATCH] fix faulty inode data collection for open() with O_CREAT
When the specified path is an existing file or when it is a symlink, audit collects the wrong inode number, which causes it to miss the open() event. Adding a second hook to the open() path fixes this.
Also add audit_copy_inode() to consolidate some code.
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
6e5a2d1d |
| 29-Jun-2006 |
Darrel Goeddel <dgoeddel@trustedcs.com> |
[PATCH] audit: support for object context filters
This patch introduces object audit filters based on the elements of the SELinux context.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com> Ack
[PATCH] audit: support for object context filters
This patch introduces object audit filters based on the elements of the SELinux context.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
kernel/auditfilter.c | 25 +++++++++++++++++++++++++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++ security/selinux/ss/services.c | 18 +++++++++++++++++- 3 files changed, 82 insertions(+), 1 deletion(-) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
3a6b9f85 |
| 29-Jun-2006 |
Darrel Goeddel <dgoeddel@trustedcs.com> |
[PATCH] audit: rename AUDIT_SE_* constants
This patch renames some audit constant definitions and adds additional definitions used by the following patch. The renaming avoids ambiguity with respect
[PATCH] audit: rename AUDIT_SE_* constants
This patch renames some audit constant definitions and adds additional definitions used by the following patch. The renaming avoids ambiguity with respect to the new definitions.
Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
include/linux/audit.h | 15 ++++++++---- kernel/auditfilter.c | 50 ++++++++++++++++++++--------------------- kernel/auditsc.c | 10 ++++---- security/selinux/ss/services.c | 32 +++++++++++++------------- 4 files changed, 56 insertions(+), 51 deletions(-) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
5adc8a6a |
| 14-Jun-2006 |
Amy Griffis <amy.griffis@hp.com> |
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as fo
[PATCH] add rule filterkey
Add support for a rule key, which can be used to tie audit records to audit rules. This is useful when a watched file is accessed through a link or symlink, as well as for general audit log analysis.
Because this patch uses a string key instead of an integer key, there is a bit of extra overhead to do the kstrdup() when a rule fires. However, we're also allocating memory for the audit record buffer, so it's probably not that significant. I went ahead with a string key because it seems more user-friendly.
Note that the user must ensure that filterkeys are unique. The kernel only checks for duplicate rules.
Signed-off-by: Amy Griffis <amy.griffis@hpd.com>
show more ...
|
#
9a66a53f |
| 27-Jun-2006 |
Jesper Juhl <jesper.juhl@gmail.com> |
[PATCH] Remove redundant NULL checks before [kv]free - in kernel/
Remove redundant kfree NULL checks from kernel/
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: Andrew Morton <ak
[PATCH] Remove redundant NULL checks before [kv]free - in kernel/
Remove redundant kfree NULL checks from kernel/
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
show more ...
|
#
1dbe83c3 |
| 27-Jun-2006 |
Randy Dunlap <rdunlap@xenotime.net> |
[PATCH] fix kernel-doc in kernel/ dir
Fix kernel-doc parameters in kernel/
Warning(/var/linsrc/linux-2617-g9//kernel/auditsc.c:1376): No description found for parameter 'u_abs_timeout' Warning(/var
[PATCH] fix kernel-doc in kernel/ dir
Fix kernel-doc parameters in kernel/
Warning(/var/linsrc/linux-2617-g9//kernel/auditsc.c:1376): No description found for parameter 'u_abs_timeout' Warning(/var/linsrc/linux-2617-g9//kernel/auditsc.c:1420): No description found for parameter 'u_msg_prio' Warning(/var/linsrc/linux-2617-g9//kernel/auditsc.c:1420): No description found for parameter 'u_abs_timeout' Warning(/var/linsrc/linux-2617-g9//kernel/acct.c:526): No description found for parameter 'pacct'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
show more ...
|
#
862f5f01 |
| 23-Jun-2006 |
Randy Dunlap <rdunlap@xenotime.net> |
[PATCH] Doc: add audit & acct to DocBook
Fix one audit kernel-doc description (one parameter was missing). Add audit*.c interfaces to DocBook. Add BSD accounting interfaces to DocBook.
Signed-off-b
[PATCH] Doc: add audit & acct to DocBook
Fix one audit kernel-doc description (one parameter was missing). Add audit*.c interfaces to DocBook. Add BSD accounting interfaces to DocBook.
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
show more ...
|
#
41757106 |
| 12-Jun-2006 |
Steve Grubb <sgrubb@redhat.com> |
[PATCH] make set_loginuid obey audit_enabled
Hi,
I was doing some testing and noticed that when the audit system was disabled, I was still getting messages about the loginuid being set. The followi
[PATCH] make set_loginuid obey audit_enabled
Hi,
I was doing some testing and noticed that when the audit system was disabled, I was still getting messages about the loginuid being set. The following patch makes audit_set_loginuid look at in_syscall to determine if it should create an audit event. The loginuid will continue to be set as long as there is a context.
Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
9c937dcc |
| 09-Jun-2006 |
Amy Griffis <amy.griffis@hp.com> |
[PATCH] log more info for directory entry change events
When an audit event involves changes to a directory entry, include a PATH record for the directory itself. A few other notable changes:
[PATCH] log more info for directory entry change events
When an audit event involves changes to a directory entry, include a PATH record for the directory itself. A few other notable changes:
- fixed audit_inode_child() hooks in fsnotify_move() - removed unused flags arg from audit_inode() - added audit log routines for logging a portion of a string
Here's some sample output.
before patch: type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255 type=CWD msg=audit(1149821605.320:26): cwd="/root" type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
after patch: type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255 type=CWD msg=audit(1149822032.332:24): cwd="/root" type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0 type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
f368c07d |
| 07-Apr-2006 |
Amy Griffis <amy.griffis@hp.com> |
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent directories of paths specified in audit rules. When audit's inotify event handler is called, it
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent directories of paths specified in audit rules. When audit's inotify event handler is called, it updates any affected rules based on the filesystem event. If the parent directory is renamed, removed, or its filesystem is unmounted, audit removes all rules referencing that inotify watch.
To keep things simple, this implementation limits location-based auditing to the directory entries in an existing directory. Given a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged passwd replaced -- audit event logged, rules list updated bar renamed -- rule removed foo renamed -- untracked, meaning that the rule now applies to the new location
Audit users typically want to have many rules referencing filesystem objects, which can significantly impact filtering performance. This patch also adds an inode-number-based rule hash to mitigate this situation.
The patch is relative to the audit git tree: http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary and uses the inotify kernel API: http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
20ca73bc |
| 24-May-2006 |
George C. Wilson <ltcgcw@us.ibm.com> |
[PATCH] Audit of POSIX Message Queue Syscalls v.2
This patch adds audit support to POSIX message queues. It applies cleanly to the lspp.b15 branch of Al Viro's git tree. There are new auxiliary da
[PATCH] Audit of POSIX Message Queue Syscalls v.2
This patch adds audit support to POSIX message queues. It applies cleanly to the lspp.b15 branch of Al Viro's git tree. There are new auxiliary data structures, and collection and emission routines in kernel/auditsc.c. New hooks in ipc/mqueue.c collect arguments from the syscalls.
I tested the patch by building the examples from the POSIX MQ library tarball. Build them -lrt, not against the old MQ library in the tarball. Here's the URL: http://www.geocities.com/wronski12/posix_ipc/libmqueue-4.41.tar.gz Do auditctl -a exit,always -S for mq_open, mq_timedsend, mq_timedreceive, mq_notify, mq_getsetattr. mq_unlink has no new hooks. Please see the corresponding userspace patch to get correct output from auditd for the new record types.
[fixes folded]
Signed-off-by: George Wilson <ltcgcw@us.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
014149cc |
| 23-May-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] deprecate AUDIT_POSSBILE
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
d8945bb5 |
| 18-May-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] inline more audit helpers
pull checks for ->audit_context into inlined wrappers
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
ac03221a |
| 17-May-2006 |
Linda Knippers <linda.knippers@hp.com> |
[PATCH] update of IPC audit record cleanup
The following patch addresses most of the issues with the IPC_SET_PERM records as described in: https://www.redhat.com/archives/linux-audit/2006-May/msg000
[PATCH] update of IPC audit record cleanup
The following patch addresses most of the issues with the IPC_SET_PERM records as described in: https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html and addresses the comments I received on the record field names.
To summarize, I made the following changes:
1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM record is emitted in the failure case as well as the success case. This matches the behavior in sys_shmctl(). I could simplify the code in sys_msgctl() and semctl_down() slightly but it would mean that in some error cases we could get an IPC_SET_PERM record without an IPC record and that seemed odd.
2. No change to the IPC record type, given no feedback on the backward compatibility question.
3. Removed the qbytes field from the IPC record. It wasn't being set and when audit_ipc_obj() is called from ipcperms(), the information isn't available. If we want the information in the IPC record, more extensive changes will be necessary. Since it only applies to message queues and it isn't really permission related, it doesn't seem worth it.
4. Removed the obj field from the IPC_SET_PERM record. This means that the kern_ipc_perm argument is no longer needed.
5. Removed the spaces and renamed the IPC_SET_PERM field names. Replaced iuid and igid fields with ouid and ogid in the IPC record.
I tested this with the lspp.22 kernel on an x86_64 box. I believe it applies cleanly on the latest kernel.
-- ljk
Signed-off-by: Linda Knippers <linda.knippers@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
3c66251e |
| 06-May-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] add filtering by ppid
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
f46038ff |
| 06-May-2006 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] log ppid
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|