1. 26 4月, 2007 2 次提交
  2. 18 2月, 2007 1 次提交
    • S
      [PATCH] audit config lockdown · 6a01b07f
      Steve Grubb 提交于
      The following patch adds a new mode to the audit system. It uses the
      audit_enabled config option to introduce the idea of audit enabled, but
      configuration is immutable. Any attempt to change the configuration
      while in this mode is audited. To change the audit rules, you'd need to
      reboot the machine.
      
      To use this option, you'd need a modified version of auditctl and use "-e 2".
      This is intended to go at the end of the audit.rules file for people that
      want an immutable configuration.
      
      This patch also adds "res=" to a number of configuration commands that did not
      have it before.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      6a01b07f
  3. 08 12月, 2006 1 次提交
  4. 06 10月, 2006 1 次提交
    • A
      [PATCH] kauditd_thread warning fix · 4899b8b1
      Andrew Morton 提交于
      Squash this warning:
      
        kernel/audit.c: In function 'kauditd_thread':
        kernel/audit.c:367: warning: no return statement in function returning non-void
      
      We might as test kthread_should_stop(), although it's not very pointful at
      present.
      
      The code which starts this thread looks racy - the kernel could start multiple
      threads.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Jeff Garzik <jeff@garzik.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      4899b8b1
  5. 26 9月, 2006 1 次提交
  6. 12 9月, 2006 1 次提交
  7. 03 8月, 2006 1 次提交
  8. 30 6月, 2006 1 次提交
  9. 28 6月, 2006 1 次提交
  10. 20 6月, 2006 6 次提交
    • A
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis 提交于
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • A
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis 提交于
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • S
      [PATCH] minor audit updates · 5d136a01
      Serge E. Hallyn 提交于
      Just a few minor proposed updates.  Only the last one will
      actually affect behavior.  The rest are just misleading
      code.
      
      Several AUDIT_SET functions return 'old' value, but only
      return value <0 is checked for.  So just return 0.
      
      propagate audit_set_rate_limit and audit_set_backlog_limit
      error values
      
      In audit_buffer_free, the audit_freelist_count was being
      incremented even when we discard the return buffer, so
      audit_freelist_count can end up wrong.  This could cause
      the actual freelist to shrink over time, eventually
      threatening to degrate audit performance.
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5d136a01
    • A
      [PATCH] collect sid of those who send signals to auditd · e1396065
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      e1396065
    • A
      [PATCH] execve argument logging · 473ae30b
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      473ae30b
    • A
      [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES · 9044e6bc
      Al Viro 提交于
      We should not send a pile of replies while holding audit_netlink_mutex
      since we hold the same mutex when we receive commands.  As the result,
      we can get blocked while sending and sit there holding the mutex while
      auditctl is unable to send the next command and get around to receiving
      what we'd sent.
      
      Solution: create skb and put them into a queue instead of sending;
      once we are done, send what we've got on the list.  The former can
      be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
      we are holding audit_netlink_mutex at that point.  The latter is done
      asynchronously and without messing with audit_netlink_mutex.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9044e6bc
  11. 01 5月, 2006 3 次提交
  12. 01 4月, 2006 1 次提交
    • O
      [PATCH] Don't pass boot parameters to argv_init[] · 9b41046c
      OGAWA Hirofumi 提交于
      The boot cmdline is parsed in parse_early_param() and
      parse_args(,unknown_bootoption).
      
      And __setup() is used in obsolete_checksetup().
      
      	start_kernel()
      		-> parse_args()
      			-> unknown_bootoption()
      				-> obsolete_checksetup()
      
      If __setup()'s callback (->setup_func()) returns 1 in
      obsolete_checksetup(), obsolete_checksetup() thinks a parameter was
      handled.
      
      If ->setup_func() returns 0, obsolete_checksetup() tries other
      ->setup_func().  If all ->setup_func() that matched a parameter returns 0,
      a parameter is seted to argv_init[].
      
      Then, when runing /sbin/init or init=app, argv_init[] is passed to the app.
      If the app doesn't ignore those arguments, it will warning and exit.
      
      This patch fixes a wrong usage of it, however fixes obvious one only.
      Signed-off-by: NOGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      9b41046c
  13. 21 3月, 2006 9 次提交
  14. 19 1月, 2006 1 次提交
    • A
      [PATCH] EDAC: atomic scrub operations · 715b49ef
      Alan Cox 提交于
      EDAC requires a way to scrub memory if an ECC error is found and the chipset
      does not do the work automatically.  That means rewriting memory locations
      atomically with respect to all CPUs _and_ bus masters.  That means we can't
      use atomic_add(foo, 0) as it gets optimised for non-SMP
      
      This adds a function to include/asm-foo/atomic.h for the platforms currently
      supported which implements a scrub of a mapped block.
      
      It also adjusts a few other files include order where atomic.h is included
      before types.h as this now causes an error as atomic_scrub uses u32.
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      715b49ef
  15. 09 1月, 2006 1 次提交
  16. 13 12月, 2005 1 次提交
  17. 28 10月, 2005 1 次提交
  18. 09 10月, 2005 1 次提交
  19. 30 8月, 2005 2 次提交
  20. 17 8月, 2005 1 次提交
  21. 19 7月, 2005 1 次提交
  22. 15 7月, 2005 1 次提交
  23. 14 7月, 2005 1 次提交