1. 20 3月, 2014 6 次提交
    • A
      audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL · 7a017721
      AKASHI Takahiro 提交于
      Currently AUDITSYSCALL has a long list of architecture depencency:
             depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
      		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
      The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
      for simplicity.
      Signed-off-by: NAKASHI Takahiro <takahiro.akashi@linaro.org>
      Acked-by: Will Deacon <will.deacon@arm.com> (arm)
      Acked-by: Richard Guy Briggs <rgb@redhat.com> (audit)
      Acked-by: Matt Turner <mattst88@gmail.com> (alpha)
      Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
      Signed-off-by: NEric Paris <eparis@redhat.com>
      7a017721
    • alpha: Enable system-call auditing support. · 015d991f
      蔡正龙 提交于
      Signed-off-by: NZhenglong.cai <zhenglong.cai@cs2c.com.cn>
      Signed-off-by: NMatt Turner <mattst88@gmail.com>
      015d991f
    • E
      audit: Send replies in the proper network namespace. · 099dd235
      Eric W. Biederman 提交于
      In perverse cases of file descriptor passing the current network
      namespace of a process and the network namespace of a socket used by
      that socket may differ.  Therefore use the network namespace of the
      appropiate socket to ensure replies always go to the appropiate
      socket.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      099dd235
    • E
      audit: Use struct net not pid_t to remember the network namespce to reply in · 638a0fd2
      Eric W. Biederman 提交于
      While reading through 3.14-rc1 I found a pretty siginficant mishandling
      of network namespaces in the recent audit changes.
      
      In struct audit_netlink_list and audit_reply add a reference to the
      network namespace of the caller and remove the userspace pid of the
      caller.  This cleanly remembers the callers network namespace, and
      removes a huge class of races and nasty failure modes that can occur
      when attempting to relook up the callers network namespace from a pid_t
      (including the caller's network namespace changing, pid wraparound, and
      the pid simply not being present).
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      638a0fd2
    • W
      audit: Audit proc/<pid>/cmdline aka proctitle · 3f1c8250
      William Roberts 提交于
      During an audit event, cache and print the value of the process's
      proctitle value (proc/<pid>/cmdline). This is useful in situations
      where processes are started via fork'd virtual machines where the
      comm field is incorrect. Often times, setting the comm field still
      is insufficient as the comm width is not very wide and most
      virtual machine "package names" do not fit. Also, during execution,
      many threads have their comm field set as well. By tying it back to
      the global cmdline value for the process, audit records will be more
      complete in systems with these properties. An example of where this
      is useful and applicable is in the realm of Android. With Android,
      their is no fork/exec for VM instances. The bare, preloaded Dalvik
      VM listens for a fork and specialize request. When this request comes
      in, the VM forks, and the loads the specific application (specializing).
      This was done to take advantage of COW and to not require a load of
      basic packages by the VM on very app spawn. When this spawn occurs,
      the package name is set via setproctitle() and shows up in procfs.
      Many of these package names are longer then 16 bytes, the historical
      width of task->comm. Having the cmdline in the audit records will
      couple the application back to the record directly. Also, on my
      Debian development box, some audit records were more useful then
      what was printed under comm.
      
      The cached proctitle is tied to the life-cycle of the audit_context
      structure and is built on demand.
      
      Proctitle is controllable by userspace, and thus should not be trusted.
      It is meant as an aid to assist in debugging. The proctitle event is
      emitted during syscall audits, and can be filtered with auditctl.
      
      Example:
      type=AVC msg=audit(1391217013.924:386): avc:  denied  { getattr } for  pid=1971 comm="mkdir" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=filesystem
      type=SYSCALL msg=audit(1391217013.924:386): arch=c000003e syscall=137 success=yes exit=0 a0=7f019dfc8bd7 a1=7fffa6aed2c0 a2=fffffffffff4bd25 a3=7fffa6aed050 items=0 ppid=1967 pid=1971 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mkdir" exe="/bin/mkdir" subj=system_u:system_r:consolekit_t:s0-s0:c0.c255 key=(null)
      type=UNKNOWN[1327] msg=audit(1391217013.924:386):  proctitle=6D6B646972002D70002F7661722F72756E2F636F6E736F6C65
      
      Acked-by: Steve Grubb <sgrubb@redhat.com> (wrt record formating)
      Signed-off-by: NWilliam Roberts <wroberts@tresys.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      3f1c8250
    • W
      proc: Update get proc_pid_cmdline() to use mm.h helpers · 21a6457a
      William Roberts 提交于
      Re-factor proc_pid_cmdline() to use get_cmdline() helper
      from mm.h.
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NWilliam Roberts <wroberts@tresys.com>
      Acked-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      21a6457a
  2. 08 3月, 2014 4 次提交
  3. 20 1月, 2014 4 次提交
  4. 18 1月, 2014 13 次提交
  5. 17 1月, 2014 5 次提交
  6. 16 1月, 2014 8 次提交