1. 12 9月, 2006 2 次提交
  2. 03 8月, 2006 5 次提交
  3. 01 7月, 2006 3 次提交
    • A
      [PATCH] audit syscall classes · b915543b
      Al Viro 提交于
      Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined
      sets of syscalls.  Infrastructure, a couple of classes (with 32bit counterparts
      for biarch targets) and actual tie-in on i386, amd64 and ia64.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b915543b
    • D
      [PATCH] audit: rename AUDIT_SE_* constants · 3a6b9f85
      Darrel Goeddel 提交于
      This patch renames some audit constant definitions and adds
      additional definitions used by the following patch.  The renaming
      avoids ambiguity with respect to the new definitions.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      
       include/linux/audit.h          |   15 ++++++++----
       kernel/auditfilter.c           |   50 ++++++++++++++++++++---------------------
       kernel/auditsc.c               |   10 ++++----
       security/selinux/ss/services.c |   32 +++++++++++++-------------
       4 files changed, 56 insertions(+), 51 deletions(-)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3a6b9f85
    • A
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis 提交于
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: NAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  4. 20 6月, 2006 9 次提交
    • A
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis 提交于
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • A
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis 提交于
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • G
      [PATCH] Audit of POSIX Message Queue Syscalls v.2 · 20ca73bc
      George C. Wilson 提交于
      This patch adds audit support to POSIX message queues.  It applies cleanly to
      the lspp.b15 branch of Al Viro's git tree.  There are new auxiliary data
      structures, and collection and emission routines in kernel/auditsc.c.  New hooks
      in ipc/mqueue.c collect arguments from the syscalls.
      
      I tested the patch by building the examples from the POSIX MQ library tarball.
      Build them -lrt, not against the old MQ library in the tarball.  Here's the URL:
      http://www.geocities.com/wronski12/posix_ipc/libmqueue-4.41.tar.gz
      Do auditctl -a exit,always -S for mq_open, mq_timedsend, mq_timedreceive,
      mq_notify, mq_getsetattr.  mq_unlink has no new hooks.  Please see the
      corresponding userspace patch to get correct output from auditd for the new
      record types.
      
      [fixes folded]
      Signed-off-by: NGeorge Wilson <ltcgcw@us.ibm.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      20ca73bc
    • A
      [PATCH] inline more audit helpers · d8945bb5
      Al Viro 提交于
      pull checks for ->audit_context into inlined wrappers
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      d8945bb5
    • L
      [PATCH] update of IPC audit record cleanup · ac03221a
      Linda Knippers 提交于
      The following patch addresses most of the issues with the IPC_SET_PERM
      records as described in:
      https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
      and addresses the comments I received on the record field names.
      
      To summarize, I made the following changes:
      
      1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
         record is emitted in the failure case as well as the success case.
         This matches the behavior in sys_shmctl().  I could simplify the
         code in sys_msgctl() and semctl_down() slightly but it would mean
         that in some error cases we could get an IPC_SET_PERM record
         without an IPC record and that seemed odd.
      
      2. No change to the IPC record type, given no feedback on the backward
         compatibility question.
      
      3. Removed the qbytes field from the IPC record.  It wasn't being
         set and when audit_ipc_obj() is called from ipcperms(), the
         information isn't available.  If we want the information in the IPC
         record, more extensive changes will be necessary.  Since it only
         applies to message queues and it isn't really permission related, it
         doesn't seem worth it.
      
      4. Removed the obj field from the IPC_SET_PERM record.  This means that
         the kern_ipc_perm argument is no longer needed.
      
      5. Removed the spaces and renamed the IPC_SET_PERM field names.  Replaced iuid and
         igid fields with ouid and ogid in the IPC record.
      
      I tested this with the lspp.22 kernel on an x86_64 box.  I believe it
      applies cleanly on the latest kernel.
      
      -- ljk
      Signed-off-by: NLinda Knippers <linda.knippers@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      ac03221a
    • A
      [PATCH] add filtering by ppid · 3c66251e
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3c66251e
    • A
      [PATCH] collect sid of those who send signals to auditd · e1396065
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      e1396065
    • A
      [PATCH] execve argument logging · 473ae30b
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      473ae30b
    • A
      [PATCH] audit_panic() is audit-internal · bc0f3b8e
      Al Viro 提交于
      ... no need to provide a stub; note that extern is already gone from
      include/linux/audit.h
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      bc0f3b8e
  5. 01 5月, 2006 4 次提交
    • S
      [PATCH] Rework of IPC auditing · 073115d6
      Steve Grubb 提交于
      1) The audit_ipc_perms() function has been split into two different
      functions:
              - audit_ipc_obj()
              - audit_ipc_set_perm()
      
      There's a key shift here...  The audit_ipc_obj() collects the uid, gid,
      mode, and SElinux context label of the current ipc object.  This
      audit_ipc_obj() hook is now found in several places.  Most notably, it
      is hooked in ipcperms(), which is called in various places around the
      ipc code permforming a MAC check.  Additionally there are several places
      where *checkid() is used to validate that an operation is being
      performed on a valid object while not necessarily having a nearby
      ipcperms() call.  In these locations, audit_ipc_obj() is called to
      ensure that the information is captured by the audit system.
      
      The audit_set_new_perm() function is called any time the permissions on
      the ipc object changes.  In this case, the NEW permissions are recorded
      (and note that an audit_ipc_obj() call exists just a few lines before
      each instance).
      
      2) Support for an AUDIT_IPC_SET_PERM audit message type.  This allows
      for separate auxiliary audit records for normal operations on an IPC
      object and permissions changes.  Note that the same struct
      audit_aux_data_ipcctl is used and populated, however there are separate
      audit_log_format statements based on the type of the message.  Finally,
      the AUDIT_IPC block of code in audit_free_aux() was extended to handle
      aux messages of this new type.  No more mem leaks I hope ;-)
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      073115d6
    • S
      [PATCH] More user space subject labels · ce29b682
      Steve Grubb 提交于
      Hi,
      
      The patch below builds upon the patch sent earlier and adds subject label to
      all audit events generated via the netlink interface. It also cleans up a few
      other minor things.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      ce29b682
    • D
      [PATCH] support for context based audit filtering · 376bd9cb
      Darrel Goeddel 提交于
      The following patch provides selinux interfaces that will allow the audit
      system to perform filtering based on the process context (user, role, type,
      sensitivity, and clearance).  These interfaces will allow the selinux
      module to perform efficient matches based on lower level selinux constructs,
      rather than relying on context retrievals and string comparisons within
      the audit module.  It also allows for dominance checks on the mls portion
      of the contexts that are impossible with only string comparisons.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      376bd9cb
    • A
      [PATCH] drop task argument of audit_syscall_{entry,exit} · 5411be59
      Al Viro 提交于
      ... it's always current, and that's a good thing - allows simpler locking.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5411be59
  6. 27 4月, 2006 1 次提交
  7. 21 3月, 2006 10 次提交
  8. 28 10月, 2005 1 次提交
  9. 11 7月, 2005 1 次提交
  10. 02 7月, 2005 2 次提交
  11. 24 6月, 2005 1 次提交
  12. 22 6月, 2005 1 次提交
    • D
      AUDIT: Wait for backlog to clear when generating messages. · 9ad9ad38
      David Woodhouse 提交于
      Add a gfp_mask to audit_log_start() and audit_log(), to reduce the
      amount of GFP_ATOMIC allocation -- most of it doesn't need to be 
      GFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to
      60 seconds for the auditd backlog to clear instead of immediately 
      abandoning the message. 
      
      The timeout should probably be made configurable, but for now it'll 
      suffice that it only happens if auditd is actually running.
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      9ad9ad38