1. 08 5月, 2013 2 次提交
    • J
      audit: vfs: fix audit_inode call in O_CREAT case of do_last · 33e2208a
      Jeff Layton 提交于
      Jiri reported a regression in auditing of open(..., O_CREAT) syscalls.
      In older kernels, creating a file with open(..., O_CREAT) created
      audit_name records that looked like this:
      
      type=PATH msg=audit(1360255720.628:64): item=1 name="/abc/foo" inode=138810 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      type=PATH msg=audit(1360255720.628:64): item=0 name="/abc/" inode=138635 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      
      ...in recent kernels though, they look like this:
      
      type=PATH msg=audit(1360255402.886:12574): item=2 name=(null) inode=264599 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      type=PATH msg=audit(1360255402.886:12574): item=1 name=(null) inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      type=PATH msg=audit(1360255402.886:12574): item=0 name="/abc/foo" inode=264598 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0
      
      Richard bisected to determine that the problems started with commit
      bfcec708, but the log messages have changed with some later
      audit-related patches.
      
      The problem is that this audit_inode call is passing in the parent of
      the dentry being opened, but audit_inode is being called with the parent
      flag false. This causes later audit_inode and audit_inode_child calls to
      match the wrong entry in the audit_names list.
      
      This patch simply sets the flag to properly indicate that this inode
      represents the parent. With this, the audit_names entries are back to
      looking like they did before.
      
      Cc: <stable@vger.kernel.org> # v3.7+
      Reported-by: NJiri Jaburek <jjaburek@redhat.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Test By: Richard Guy Briggs <rbriggs@redhat.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      33e2208a
    • E
      audit: Make testing for a valid loginuid explicit. · 780a7654
      Eric W. Biederman 提交于
      audit rule additions containing "-F auid!=4294967295" were failing
      with EINVAL because of a regression caused by e1760bd5.
      
      Apparently some userland audit rule sets want to know if loginuid uid
      has been set and are using a test for auid != 4294967295 to determine
      that.
      
      In practice that is a horrible way to ask if a value has been set,
      because it relies on subtle implementation details and will break
      every time the uid implementation in the kernel changes.
      
      So add a clean way to test if the audit loginuid has been set, and
      silently convert the old idiom to the cleaner and more comprehensible
      new idiom.
      
      Cc: <stable@vger.kernel.org> # 3.7
      Reported-By: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Tested-by: NRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      780a7654
  2. 01 5月, 2013 12 次提交
  3. 17 4月, 2013 1 次提交
    • E
      audit: allow checking the type of audit message in the user filter · 62062cf8
      Eric Paris 提交于
      When userspace sends messages to the audit system it includes a type.
      We want to be able to filter messages based on that type without have to
      do the all or nothing option currently available on the
      AUDIT_FILTER_TYPE filter list.  Instead we should be able to use the
      AUDIT_FILTER_USER filter list and just use the message type as one part
      of the matching decision.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      62062cf8
  4. 16 4月, 2013 1 次提交
  5. 12 4月, 2013 2 次提交
    • G
      audit: remove duplicate export of audit_enabled · 72199caa
      Gao feng 提交于
      audit_enabled has already been exported in
      include/linux/audit.h. and kernel/audit.h
      includes include/linux/audit.h, no need to
      export aduit_enabled again in kernel/audit.h
      Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      72199caa
    • E
      Audit: do not print error when LSMs disabled · ad395abe
      Eric Paris 提交于
      RHBZ: 785936
      
      If the audit system collects a record about one process sending a signal
      to another process it includes in that collection the 'secid' or 'an int
      used to represet an LSM label.'  If there is no LSM enabled it will
      collect a 0.  The problem is that when we attempt to print that record
      we ask the LSM to convert the secid back to a string.  Since there is no
      LSM it returns EOPNOTSUPP.
      
      Most code in the audit system checks if the secid is 0 and does not
      print LSM info in that case.  The signal information code however forgot
      that check.  Thus users will see a message in syslog indicating that
      converting the sid to string failed.  Add the right check.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      ad395abe
  6. 11 4月, 2013 7 次提交
  7. 09 4月, 2013 4 次提交
  8. 19 2月, 2013 3 次提交
  9. 16 2月, 2013 7 次提交
  10. 15 2月, 2013 1 次提交