1. 28 6月, 2006 1 次提交
  2. 20 6月, 2006 6 次提交
    • A
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis 提交于
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • A
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis 提交于
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: NAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • S
      [PATCH] minor audit updates · 5d136a01
      Serge E. Hallyn 提交于
      Just a few minor proposed updates.  Only the last one will
      actually affect behavior.  The rest are just misleading
      code.
      
      Several AUDIT_SET functions return 'old' value, but only
      return value <0 is checked for.  So just return 0.
      
      propagate audit_set_rate_limit and audit_set_backlog_limit
      error values
      
      In audit_buffer_free, the audit_freelist_count was being
      incremented even when we discard the return buffer, so
      audit_freelist_count can end up wrong.  This could cause
      the actual freelist to shrink over time, eventually
      threatening to degrate audit performance.
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5d136a01
    • A
      [PATCH] collect sid of those who send signals to auditd · e1396065
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      e1396065
    • A
      [PATCH] execve argument logging · 473ae30b
      Al Viro 提交于
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      473ae30b
    • A
      [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES · 9044e6bc
      Al Viro 提交于
      We should not send a pile of replies while holding audit_netlink_mutex
      since we hold the same mutex when we receive commands.  As the result,
      we can get blocked while sending and sit there holding the mutex while
      auditctl is unable to send the next command and get around to receiving
      what we'd sent.
      
      Solution: create skb and put them into a queue instead of sending;
      once we are done, send what we've got on the list.  The former can
      be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
      we are holding audit_netlink_mutex at that point.  The latter is done
      asynchronously and without messing with audit_netlink_mutex.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9044e6bc
  3. 01 5月, 2006 3 次提交
  4. 01 4月, 2006 1 次提交
    • O
      [PATCH] Don't pass boot parameters to argv_init[] · 9b41046c
      OGAWA Hirofumi 提交于
      The boot cmdline is parsed in parse_early_param() and
      parse_args(,unknown_bootoption).
      
      And __setup() is used in obsolete_checksetup().
      
      	start_kernel()
      		-> parse_args()
      			-> unknown_bootoption()
      				-> obsolete_checksetup()
      
      If __setup()'s callback (->setup_func()) returns 1 in
      obsolete_checksetup(), obsolete_checksetup() thinks a parameter was
      handled.
      
      If ->setup_func() returns 0, obsolete_checksetup() tries other
      ->setup_func().  If all ->setup_func() that matched a parameter returns 0,
      a parameter is seted to argv_init[].
      
      Then, when runing /sbin/init or init=app, argv_init[] is passed to the app.
      If the app doesn't ignore those arguments, it will warning and exit.
      
      This patch fixes a wrong usage of it, however fixes obvious one only.
      Signed-off-by: NOGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      9b41046c
  5. 21 3月, 2006 9 次提交
  6. 19 1月, 2006 1 次提交
    • A
      [PATCH] EDAC: atomic scrub operations · 715b49ef
      Alan Cox 提交于
      EDAC requires a way to scrub memory if an ECC error is found and the chipset
      does not do the work automatically.  That means rewriting memory locations
      atomically with respect to all CPUs _and_ bus masters.  That means we can't
      use atomic_add(foo, 0) as it gets optimised for non-SMP
      
      This adds a function to include/asm-foo/atomic.h for the platforms currently
      supported which implements a scrub of a mapped block.
      
      It also adjusts a few other files include order where atomic.h is included
      before types.h as this now causes an error as atomic_scrub uses u32.
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      715b49ef
  7. 09 1月, 2006 1 次提交
  8. 13 12月, 2005 1 次提交
  9. 28 10月, 2005 1 次提交
  10. 09 10月, 2005 1 次提交
  11. 30 8月, 2005 2 次提交
  12. 17 8月, 2005 1 次提交
  13. 19 7月, 2005 1 次提交
  14. 15 7月, 2005 1 次提交
  15. 14 7月, 2005 1 次提交
  16. 02 7月, 2005 1 次提交
    • D
      AUDIT: Stop waiting for backlog after audit_panic() happens · ac4cec44
      David Woodhouse 提交于
      We force a rate-limit on auditable events by making them wait for space 
      on the backlog queue. However, if auditd really is AWOL then this could 
      potentially bring the entire system to a halt, depending on the audit 
      rules in effect.
      
      Firstly, make sure the wait time is honoured correctly -- it's the 
      maximum time the process should wait, rather than the time to wait 
      _each_ time round the loop. We were getting re-woken _each_ time a 
      packet was dequeued, and the timeout was being restarted each time.
      
      Secondly, reset the wait time after audit_panic() is called. In general 
      this will be reset to zero, to allow progress to be made. If the system
      is configured to _actually_ panic on audit_panic() then that will 
      already have happened; otherwise we know that audit records are being 
      lost anyway. 
      
      These two tunables can't be exposed via AUDIT_GET and AUDIT_SET because 
      those aren't particularly well-designed. It probably should have been 
      done by sysctls or sysfs anyway -- one for a later patch.
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      ac4cec44
  17. 25 6月, 2005 1 次提交
  18. 24 6月, 2005 1 次提交
  19. 22 6月, 2005 3 次提交
  20. 21 6月, 2005 1 次提交
  21. 20 6月, 2005 2 次提交